331 83 3MB
English Pages 365 Year 2008
BOOLEAN FUNCTIONS IN CRYPTOLOGY AND INFORMATION SECURITY
NATO Science for Peace and Security Series This Series presents the results of scientific meetings supported under the NATO Programme: Science for Peace and Security (SPS). The NATO SPS Programme supports meetings in the following Key Priority areas: (1) Defence Against Terrorism; (2) Countering other Threats to Security and (3) NATO, Partner and Mediterranean Dialogue Country Priorities. The types of meeting supported are generally “Advanced Study Institutes” and “Advanced Research Workshops”. The NATO SPS Series collects together the results of these meetings. The meetings are co-organized by scientists from NATO countries and scientists from NATO’s “Partner” or “Mediterranean Dialogue” countries. The observations and recommendations made at the meetings, as well as the contents of the volumes in the Series, reflect those of participants and contributors only; they should not necessarily be regarded as reflecting NATO views or policy. Advanced Study Institutes (ASI) are high-level tutorial courses to convey the latest developments in a subject to an advanced-level audience. Advanced Research Workshops (ARW) are expert meetings where an intense but informal exchange of views at the frontiers of a subject aims at identifying directions for future action. Following a transformation of the programme in 2006 the Series has been re-named and reorganised. Recent volumes on topics not related to security, which result from meetings supported under the programme earlier, may be found in the NATO Science Series. The Series is published by IOS Press, Amsterdam, and Springer Science and Business Media, Dordrecht, in conjunction with the NATO Public Diplomacy Division. Sub-Series A. B. C. D. E.
Chemistry and Biology Physics and Biophysics Environmental Security Information and Communication Security Human and Societal Dynamics
Springer Science and Business Media Springer Science and Business Media Springer Science and Business Media IOS Press IOS Press
http://www.nato.int/science http://www.springer.com http://www.iospress.nl
Sub-Series D: Information and Communication Security – Vol. 18
ISSN 1874-6268
Boolean Functions in Cryptology and Information Security
Edited by
Bart Preneel Katholieke Universiteit Leuven, Leuven, Belgium and IBBT, Belgium
and
Oleg A. Logachev Lomonosov University, Moscow, Russia
Amsterdam • Berlin • Oxford • Tokyo • Washington, DC Published in cooperation with NATO Public Diplomacy Division
Proceedings of the NATO Advanced Study Institute on Boolean Functions in Cryptology and Information Security Zvenigorod, Moscow region, Russia 8–18 September 2007
© 2008 IOS Press. All rights reserved. All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without prior written permission from the publisher. ISBN 978-1-58603-878-6 Library of Congress Control Number: 2008927993 Publisher IOS Press Nieuwe Hemweg 6B 1013 BG Amsterdam Netherlands fax: +31 20 687 0019 e-mail: [email protected] Distributor in the UK and Ireland Gazelle Books Services Ltd. White Cross Mills Hightown Lancaster LA1 4XS United Kingdom fax: +44 1524 63232 e-mail: [email protected]
Distributor in the USA and Canada IOS Press, Inc. 4502 Rachael Manor Drive Fairfax, VA 22032 USA fax: +1 703 323 3668 e-mail: [email protected]
LEGAL NOTICE The publisher is not responsible for the use which might be made of the following information. PRINTED IN THE NETHERLANDS
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved.
v
Preface The NATO-Russia Advanced Study Institute “Boolean Functions in Cryptology and Information Security” was held in Zvenigorod (Moscow region, Russia) from September 8 to 18, 2007. The ASI was sponsored by NATO in cooperation with Lomonosov University, Moscow, and the Russian Foundation for Basic Research. The Organizing Committee of the ASI was headed by co-directors Bart Preneel (Katholieke Universiteit Leuven and IBBT, Belgium) and Oleg Logachev (Lomonosov University, Moscow, Russia). The Information Security Institute of Lomonosov University, Moscow was responsible for the local organization of the ASI. We would like to thank many people for their cooperation, and in particular Mikhail Anokhin and Nikolay Varnovsky. The ASI was attended by 61 participants from 11 countries. The ASI program included lectures of invited professors and talks of ASI students. We would like to acknowledge our invited professors for their contributions: Sergey Agievich (Belarus), Valeriy Alekseev (Russia), Vladimir Anashin (Russia), Yuri Borissov (Bulgaria), Nicolas Courtois (France), Thomas Cusick (USA), Sergey Gashkov (Russia), Andrew Klapper (USA), Gohar Kyureghyan (Armenia), Philippe Langevin (France), Oleg Logachev (Russia), Subhamoy Maitra (India), Miodrag Mihaljevi´c (Serbia), Svetla Nikova (Belgium), Valentin Nosov (Russia), Bart Preneel (Belgium), François Rodier (France), Pantelimon St˘anic˘a (Romania), Yuriy Tarannikov (Russia), Peter Wild (Australia), Jacques Wolfmann (France), Yuliang Zheng (Australia). The proceedings of ASI are divided into three parts: lectures of invited professors, talks of students, and some open problems. March 2008
Bart Preneel Oleg Logachev
This page intentionally left blank
vii
Contents Preface Bart Preneel and Oleg Logachev
v
Invited Talks Bent Rectangles Sergey Agievich
3
On Algebraic Algorithms Deciding Properties of Discrete Functions Valeriy Alekseev
23
Non-Archimedean Theory of T-Functions Vladimir Anashin
33
Classification of the Cosets of RM(1, 7) in RM(3, 7) Revisited Yuri Borissov, An Braeken, Svetla Nikova and Bart Preneel
58
On Boolean Functions with Generalized Cryptographic Properties An Braeken, Ventzislav Nikov, Svetla Nikova and Bart Preneel
73
Conjectures on the Number of Balanced Boolean Functions of Bounded Degree Thomas W. Cusick
97
Bit-Parallel Circuits for Arithmetic in Finite Fields Sergey B. Gashkov and Igor S. Sergeev
104
On a Family of Perfect Nonlinear Binomials Tor Helleseth, Gohar Kyureghyan, Geir Jarle Ness and Alexander Pott
126
Classification of Boolean Quartic Forms in Eight Variables Philippe Langevin and Gregor Leander
139
Local Affinity of Boolean Mappings Oleg A. Logachev, Valery V. Yashchenko and Mikhail P. Denisenko
148
Boolean Functions on Odd Number of Variables Having Nonlinearity Greater Than the Bent Concatenation Bound Subhamoy Maitra
173
Decimation Based Algebraic and Correlation Attacks and Design of Boolean Functions Miodrag J. Mihaljević
183
Constructing Families of Latin Squares over Boolean Domains Valentin A. Nosov
200
On Almost Perfect Nonlinear Boolean Functions François Rodier
208
viii
On the Nonexistence of Homogeneous Rotation Symmetric Bent Boolean Functions of Degree Greater Than Two Pantelimon Stănică
214
On Correlation Immune Boolean Functions Yuriy Tarannikov
219
A Cyclic Code Approach of Bent Functions over F2 and ℤ 4 Jacques Wolfmann
232
On Balanced Nonlinear Boolean Functions Yuliang Zheng and Xian-Mo Zhang
243
Students’ Talks On Properties of Correlation Immune Functions with High Nonlinearity Anton Botev
283
Constructing Boolean Functions with Extremal Properties Andrey Khalyavin
289
Tight Bounds Between Algebraic Immunity and Nonlinearities of High Orders Mikhail Lobanov
296
On Implementation of One Type of Recursive Construction Sergey G. Shipunov
307
On Impossibility of Uniform Distribution of Codewords over Spheres Maria Yarykina
315
On the Structure of the Spectrum Support of Boolean Functions Alexander Zverev
331
Some Open Problems Open Problems in Boolean Function Theory. The Cryptographer’s View
343
Subject Index
353
Author Index
355
Invited Talks
This page intentionally left blank
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-3
3
Bent Rectangles Sergey AGIEVICH 1 Belarusian State University, Minsk, Belarus Abstract. We study generalized regular bent functions using a representation by bent rectangles, that is, a particular class of matrices with certain rows and columns. We characterize affine transformations of bent rectangles, propose new constructions of biaffine and bilinear bent squares, study partitions of a vector space into affine planes of equal dimension, and use such partitions to build bent rectangles. We illustrate the concept of bent rectangles by examples for the Boolean case. Keywords. Walsh–Hadamard transform, bent function, regular bent function, bent rectangle, partitioning Vn into disjoint affine planes
Introduction Boolean bent functions were introduced by Rothaus [1] and Dillon [2], and since then have been widely studied in view of their interesting algebraic and combinatorial properties and because of their applications in signal processing, coding theory, and cryptography. For a surveys on bent functions, see [3,4]. In the present paper we study bent functions using a representation by bent rectangles. Rows of such rectangles consist of the Walsh–Hadamard coefficients of restrictions of a target bent function to a subset of variables. Normalized columns also consist of the Walsh–Hadamard coefficients of some Boolean functions. The notion of bent rectangles was introduced in [5]. A special kind of rectangles, all elements of which are of the same magnitude, was proposed in [6]. Authors of [7] also extensively dealt with restrictions of bent functions and actually used 2- and 4-row bent rectangles. In [8, preliminary version], bent squares are used to construct bent functions recursively. We extend the results of [5] in the following directions. In Sections 1, 2 we modify the concept of bent rectangles to the generalized regular bent functions over an arbitrary quotient ring of integers (see [9]). In Section 3 we describe affine transformations of bent rectangles. In Section 5 we propose new constructions of bent functions, which are based on biaffine and bilinear mappings. In Section 6 we study partitions of a vector space into affine planes of same dimension and use such partitions to construct bent rectangles. Additionally, in Section 4 we use bent rectangles to illustrate some known properties of Boolean bent functions. 1 National Research Center for Applied Problems of Mathematics and Informatics, Belarusian State University, Nezavisimosti av., 4, 220030 Minsk, Belarus; E-mail: [email protected].
4
S. Agievich / Bent Rectangles
1. Functions Let Zq be the ring of integers modulo q which we identify with the set {0, 1, . . . , q − 1}. ◦
◦
Denote by Zq the set of all qth roots of unity in C and √ by χ : Zq → Zq the additive character defined by χ(a) = exp(2πia/q), where i = −1. The ring of integers modulo a prime q is a field. We emphasize this fact by writing Fq instead of Zq . The set Vn = Znq consists of all vectors a = (a1 , . . . , an ), ai ∈ Zq , and forms a group under vector addition. If q is prime, then Vn is the n-dimensional vector space over the field Fq . Let Fn be the set of all functions Vn → Zq . A function f ∈ Fn depends on n variables x1 , . . . , xn , which are the coordinates of an argument x. Given J = {j1 , . . . , jm } ⊆ {1, . . . , n}, the restriction of f (x) to (xj1 , . . . , xjm ) is a function ob/ J. tained from f by substituting certain constants for variables xj for j ∈ ◦
◦
◦
Starting with f , construct the function f : Vn → Zq , f (x) = χ(f (x)), and the function f: Vn → C, f(u) =
x∈Vn
◦
f (x)χ(u · x),
u ∈ Vn .
Here u · x = u1 x1 + . . . + un xn and the bar indicates complex conjugation. It is f ≡ c, c ∈ Zq , for convenient to assume that F0 consists functions ◦ of constant ◦ ◦ which f = f ≡ χ(c). Denote F n = f : f ∈ Fn , Fn = f : f ∈ Fn . ◦
The mapping f → f (or f → f) is called the Walsh–Hadamard transform. Since
u∈Vn
χ(a · u) =
qn 0
if a = 0, otherwise
◦
for each a ∈ Vn , the inverse transform f → f can be defined as follows: ◦
f (x) = q −n
◦
f (y)
y∈Vn
= q −n
u∈Vn
u∈Vn y∈Vn
= q −n
u∈Vn
χ(u · (x − y))
◦
f (y)χ(u · y)χ(u · x)
f(u)χ(u · x).
The Walsh–Hadamard transform is often used in cryptography, coding theory, signal processing to derive some properties of f . In many cases it is important to use functions f with maxu |f(u)| as small as possible. Due to the Parseval’s identity 2 f(u) = q 2n ,
u∈Vn
5
S. Agievich / Bent Rectangles
we have maxu f(u) ≥ q n/2 , where the equality holds if and only if f (u) = q n/2 ,
u ∈ Vn .
(1)
If f satisfies (1), then it is called a bent function. If, additionally to (1), f(u) ∈ ◦
q n/2 Zq for all u, then f is called a regular bent function. Let Bn be the set of all regular bent functions of n variables. In the sequel, all subscripts, superscripts and other notation defined for Fn will be ◦ ◦ used also for subsets of Fn . For example, Bn = f : f ∈ Bn , Bn = f : f ∈ Bn . ◦
Note that Bn = q n/2 B n . 2. Rectangles
Let m, k be nonnegative integers and f ∈ Fm+k . Define a function f : Vm+k → C by f (u, v) =
y∈Vk
χ(f (u, y) + v · y),
u ∈ Vm ,
v ∈ Vk ,
(2)
and call it a rectangle of f . Denote by F m,k the set of all such rectangles. In the case
m = k we also call f a square of f . To each function f there correspond different rectangles of the sets F 0,m+k = ◦ Fm+k , F 1,m+k−1 ,. . . , F m+k−1,1 , F m+k,0 = F m+k . These rectangles are interrelated with each other. For example, if f ∈ F m,k and f ∗ ∈ F m+1,k−1 , then f (u, v, v′ ) =
y∈Zq y′ ∈Vk−1
=
◦
f (u, y, y′ )χ(vy + v′ · y′ )
f ∗ (u, y, v′ )χ(vy),
y∈Zq
v′ ∈ Vk−1 ,
and conversely, f ∗ (u, v, v′ ) =
1 f (u, y, v′ )χ(vy). q y∈Zq
For a fixed u call the mapping v → f (u, v) a column of f . Analogously, for a fixed
v call the mapping u → f (u, v) a row of f . By definition, each row of f is an element of Fk . If furthermore each column of f multiplied by q (m−k)/2 is an element of Fm , then call the rectangle f bent.
6
S. Agievich / Bent Rectangles
Our results are based on the following proposition, first stated in [5] for the case q = 2. Note that for m = 0 this proposition can be considered as a definition of regular bent functions. Proposition 1. A function f ∈ Fm+k is regular bent if and only if a rectangle f ∈ F m,k is bent. Proof. Let f ∈ Bn , n = m + k. Define the function g ∈ Fn by the rule g(v, u) = q −n/2 f(−u, v), ◦
u ∈ Vm ,
v ∈ Vk ,
and determine the corresponding rectangle g ∈ F k,m : g(v, u) = q −n/2
x∈Vm
= q −n/2
f(−x, v)χ(u · x)
x∈Vm w∈Vm y∈Vk
= q −n/2
y∈Vk w∈Vm
= q m−n/2
y∈Vk
◦
f (w, y)χ(−x · w + v · y + u · x)
◦
f (w, y)χ(v · y)
x∈Vm
χ((w − u) · x)
◦
f (u, y)χ(v · y)
= q (m−k)/2 f (u, v). Therefore, each column of f multiplied by q (m−k)/2 is an element of Fm and f is bent.
Conversely, if f is bent, then g(v, u) = q (m−k)/2 f (u, v) is well defined rectangle ◦ that corresponds to the function g(v, u), g(v, u) = q −n/2 f(u, v). Hence f(u, v) ∈ ◦
q n/2 Zq for all u, v and f is regular bent.
It is convenient to identify f ∈ F m,k with the q m × q k matrix F whose rows and columns are indexed by lexicographically ordered vectors of Vm and Vk respectively and whose elements are the values f (u, v). The definition of F puts restrictions on its rows. The bentness of F puts additional restrictions on columns. We can draw an analogy with latin rectangles and this analogy justify the use of the term “bent rectangle”. If F corresponds to a bent rectangle f ∈ Bm,k and satisfies restrictions on rows
and columns, then G = q (m−k)/2 F
T
also satisfies such restrictions and corresponds to
a bent rectangle g ∈ B k,m . Call the transformation f → g a transposition of f . During the proof of Proposition 1 we actually showed that g(v, u) = q −n/2 f(−u, v), ◦
u ∈ Vm ,
v ∈ Vk .
S. Agievich / Bent Rectangles
7
We will often use affine functions l(x) = b · x + c, where x, b ∈ Vn and c ∈ Zq , as primitives for constructing bent rectangles. Denote by An the set of all affine functions in n variables. The function l that corresponds to l has a quite simple form: q n χ(c) if u = b, l(u) = 0 otherwise.
This fact immediately gives us the following construction.
Example 1 (Maiorana–McFarland’s construction). Consider a bent square f ∈ B n,n such that all its rows and columns belong to An . The matrix F associated with f has the following form: each its row and each column contains exactly one element of the set ◦
q n Zq , all other elements are zero. This implies that there exists a permutation π : Vn → Vn and a function φ ∈ Fn such that ◦ q n φ(u) if v = π(u), f (u, v) = 0 otherwise. Consequently, f (x, y) = π(x) · y + φ(x) and we obtain a bent function belonging to well-known Maiorana–McFarland’s class.
3. Affine Transformations Let GLn (AGLn ) be the general linear (affine) group of transformations of Vn = Znq . We identify GLn with the set of all invertible n × n matrices over Zq and denote by In the identity matrix of GLn . An element σ ∈ AGLn is specified by a pair (A, a), A ∈ GLn , a ∈ Vn , and acts as follows: σ(x) = xA + a. Extend the action of AGLn to functions f with domain Vn in a natural way: σ(f )(x) = f (xA + a). Call functions f, g ∈ Fn affine equivalent if there exist σ = (A, a) ∈ AGLn and l ∈ An , l(x) = b · x + c, such that g(x) = σ(f )(x) + l(x) = f (xA + a) + b · x + c. If f and g are affine equivalent, then χ(f (xA + a) + x · (b − u) + c) g(u) = x∈Vn
=
y∈Vn
=
y∈Vn
χ(f (y) + (y − a)A−1 · (b − u) + c)
χ(f (y) − (y − a) · (u − b)(A−1 )T + c)
(3)
8
S. Agievich / Bent Rectangles
and g(u) = χ(v · a + c)f(v),
v = (u − b)(A−1 )T .
(4)
Therefore, the functions f and g are, in some sense, also affine equivalent: there exist σ ∗ ∈ AGLn and l∗ ∈ An such that ◦
g(u) = σ ∗ (f)(u)l∗ (u).
It is useful to find a relation between rectangles f , g ∈ F m,k of affine equivalent functions f and g. For example, g ∈ Bn if and only if f ∈ Bn and a correspondence
between f and g can be used to perform the affine classification of regular bent functions. Let n = m + k, where m, k ≥ 1. Divide the vector x ∈ Vn into two parts: x = (x1 , x2 ), x1 ∈ Vm , x2 ∈ Vk , and introduce the following elementary transformations f → g: A1) A2) B1) B2) C1) C2)
g(x) = f (x1 A1 + a1 , x2 ), where A1 ∈ GLm , a1 ∈ Vm ; g(x) = f (x1 , x2 A2 ) + a2 · x2 , where A2 ∈ GLk , a2 ∈ Vk ; g(x) = f (x) + b1 · x1 + c, where b1 ∈ Vm , c ∈ Zq ; g(x) = f (x1 , x2 + b2 ), where b2 ∈ Vk ; g(x) = f (x1 , . . . , xm−1 , xm − xm+1 , xm+1 , xm+2 . . . , xn ); g(x) = f (x1 , . . . , xm−1 , xm , xm+1 − xm , xm+2 , . . . , xn ).
Proposition 2. Every affine transformation f → g of the form (3) can be realized using only elementary transformations A1–C2. Under these transformations, the rectangles f , g ∈ F m,k are related as follows: A1) g(u, v) = f (uA1 + a1 , v), T A2) g(u, v) = f (u, (v − a2 )B2 ), where B2 = (A−1 2 ) ;
B1) g(u, v) = χ(b1 · u + c)f (u, v); B2) g(u, v) = χ(b2 · v)f (u, v); C1) g(u′ , u, v, v′ ) = (1/q) x,y∈Zq f (u′ , x, y, v′ )χ((u − x)(v − y));
C2) g(u′ , u, v, v′ ) = χ(uv)f (u′ , u, v, v′ ).
Here u ∈ Vm , v ∈ Vk , u′ ∈ Vm−1 , v′ ∈ Vk−1 , u, v ∈ Zq . Proof. To prove the first part of the proposition, we will show that GLn is generated by its subgroups G1 =
M1 0 0 Ik
: M1 ∈ GLm ,
G2 =
Im 0 0 M2
: M2 ∈ GLk
and additional matrices R and S of the following linear transformations:
S. Agievich / Bent Rectangles
9
x → xR = (x1 , . . . , xm−1 , xm − xm+1 , xm+1 , xm+2 , . . . , xn ), x → xS = (x1 , . . . , xm−1 , xm , xm+1 − xm , xm+2 , . . . , xn ). It is known that the group GLn (Zm ) is generated by matrices of the following transformations of a vector x (cf., e.g., [10]): 1) multiplication of the coordinates xi by invertible elements of Zm , 1 ≤ i ≤ n; 2) subtraction of xj from xi , 1 ≤ i, j ≤ n, i = j.
The groups G1 and G2 contain matrices that realize all transformations of the first type and transformations of the second type for 1 ≤ i, j ≤ m and m + 1 ≤ i, j ≤ n. We can subtract any different coordinates of x using additional matrices R and S. For example, the subtraction of xj , m + 1 ≤ j ≤ n, from xi , 1 ≤ i ≤ m, can be realized by the following steps: (a) interchange xi and xm using some matrix in G1 , (b) interchange xm+1 and xj using some matrix in G2 , (c) subtract xm+1 from xm using R, (d) interchange xi and xm , xm+1 and xj again. Thus the group generated by G1 , G2 , R, and S contains all matrices of the first and the second types and hence coincides with GLn (Zm ). The second part of the proposition is checked by direct calculations. Consider, for example, the transformation C1. We have g(u′ , u, v, v′ ) =
◦
x∈Zq y′ ∈Vk−1
=
◦
x∈Zq y′ ∈Vk−1
=
1 q
f (u′ , u − x, x, y′ )χ(vx + v′ · y′ ) ◦
x∈Zq y′ ∈Vk−1
=
g(u′ , u, x, y′ )χ(vx + v′ · y′ )
f (u′ , x, u − x, y′ )χ(v(u − x) + v′ · y′ )
x∈Zq y′ ∈Vk−1
× =
χ(v(u − x) + v′ · y′ )
y,z∈Zq
◦
f (u′ , x, z, y′ )χ((u − x − z)y)
1 χ((u − x)(v − y)) q x,y∈Zq
× =
z∈Zq y′ ∈Vk−1
◦
f (u′ , x, z, y′ )χ(yz + v′ · y′ )
1 f (u′ , x, y, v′ )χ((u − x)(v − y)) q x,y∈Zq
and the required identity holds. Therefore, we can realize any affine transformation of a rectangle F by affine permutations of its rows (A1) and columns (A2) and by multiplying its elements by qth roots
10
S. Agievich / Bent Rectangles
of unity (B1, B2, C2). The remaining transformation C1 is a single method of changing the elements of F in magnitude. Example 2 (cells). For the case q = 2 it is convenient to illustrate the transformations C1, C2 in the following way. Divide F into the cells, that is, the submatrices
f (u′ , 0, 0, v′ ) f (u′ , 0, 1, v′ ) ′
′
′
′
f (u , 1, 0, v ) f (u , 1, 1, v )
,
u′ ∈ Vm−1 ,
v′ ∈ Vk−1 ,
and during the transformations modify all of the cells simultaneously by the rules C1 :
αβ γδ
1 → 2
α+β+γ−δ α+β−γ+δ , α − β + γ + δ −α + β + γ + δ
C2 :
αβ γδ
→
α β . γ −δ
4. Illustrations In this section we consider the case q = 2 and give examples to illustrate the usage of bent rectangles for the analysis of some known properties of bent functions. Note that in the Boolean case each bent function is regular and Bn = ∅ only for even n. Start with some useful definitions and facts. We identify a Boolean function f ∈ Fn of x = (x1 , . . . , xn ) with its algebraic normal form, that is, a polynomial of the ring F2 [x1 , . . . , xn ] reduced modulo the ideal (x21 − x1 , . . . , x2n − xn ). Denote by deg f the degree of such a polynomial. Following [11], introduce the set Pn,r ⊆ Fn of plateaued functions of order r: f ∈ Pn,r if f(u) ∈ {0, 2n−r/2 } for all u ∈ Vn (more precisely, f has exactly 2r nonzero values ±2n−r/2 ). It is clear that An = Pn,0 , Bn = Pn,n . Finally, recall the following result of [5]. Lemma 1. Let q = 2, f1 , f2 , f3 , f4 ∈ Fn and g(u) =
1 f1 (u) + f2 (u) + f3 (u) + f4 (u) , 2
The function g ∈ Fn if and only if
f1 (x) + f2 (x) + f3 (x) + f4 (x) = 1,
u ∈ Vn .
x ∈ Vn .
Under this condition, g(x) = f1 (x)f2 (x) + f1 (x)f3 (x) + f2 (x)f3 (x). Now we give some examples. Example 3 (sums of bent functions). It is well-known (see [1]) that if f1 ∈ Bm and f2 ∈
Bk , then f (x, y) = f1 (x) + f2 (y) is also bent. Indeed, the rectangle f ∈ F m,k has the ◦ form f (u, v) = f (u)f2 (v) and obviously satisfies the restrictions on columns. 1
11
S. Agievich / Bent Rectangles
Example 4 (degrees of bent functions). Let f ∈ B2n , n ≥ 2. In [1], Rothaus proved that deg f ≤ n. We give a new proof of this fact. Suppose to the contrary that deg f = k > n, i.e., the polynomial f (x1 , . . . , x2n ) contains a monomial of degree k. Without loss of generality, assume that f contains the monomial xm+1 xm+2 . . . x2n , m = 2n − k. Then there are an odd number of 1’s among the values g(y) = f (0, y), y ∈ Vk , and g(0) = 2r, where r is odd. This is impossible when k = 2n since in this case g(0) = f(0) ∈ {±2n }. Therefore k < 2n and consequently m > 0. Consider f ∈ B m,k . We have f (0, 0) = g(0) = 2r and 2(m−k)/2 f (0, 0) either an odd integer or a rational number. Since functions of Fm take only even values, the restrictions on columns of f are not satisfied, a contradiction.
Example 5 (2-row bent rectangles). Let f ∈ B1,n−1 . By definition, the columns of f belong to the set 2n/2−1 F1 . Since F1 = A1 , each column takes exactly one nonzero n−1,n−2 . This fact was pointed out value ±2n/2 . It means that all rows of f are in P in [11]. In Proposition 5 we will describe how to construct (2n − 2)|Bn−2 |2 bent rectangles of B1,n−1 . For example, such a construction allows to obtain all 896 elements of B 1,3 .
Example 6 (4-row bent rectangles). Consider a rectangle f ∈ B2,n−2 . Since every func-
tion of F2 is either affine or bent, the possible values of f are exhausted by 0, ±2n/2−1 , ±2n/2 . ◦ If we restrict to the numbers ±2n/2−1 , then each column of f belongs to 2n/2−1 B2 , takes an odd number of negative values, and a product of these values is exactly −22n−4 . This result was proved in [12]. If we restrict ourselves to the numbers 0, ±2n/2 , then we obtain a bent rectangle n−2,n−4 . Proposition 5 will give 8(2n−2 − 1)(2n−3 − 1)(7 · all rows of which are in P 2n−3 − 13)|Bn−4 |4 such rectangles for n ≥ 4.
Example 7 (Rothaus’ construction). Let f1 , f2 , f3 , f4 ∈ Bn satisfy f1 (y) + f2 (y) + f3 (y) + f4 (y) = 1 for all y ∈ Vn . In [1], Rothaus showed that the function f (u1 , u2 , y) = f1 (y)f2 (y) + f1 (y)f3 (y) + f2 (y)f3 (y) + u1 (f1 (y) + f2 (y)) + u2 (f1 (y) + f3 (y)) + u1 u2 is bent. We give another proof of this fact using the rectangle f ∈ F 2,n . Lemma 1 implies that f has the following form:
⎧ f1 (v) + f2 (v) + f3 (v) − f4 (v) ⎪ ⎪ ⎪ ⎨ 1 f1 (v) − f2 (v) + f3 (v) + f4 (v) f (u1 , u2 , v) = 2⎪ f1 (v) + f2 (v) − f3 (v) + f4 (v) ⎪ ⎪ ⎩ f1 (v) − f2 (v) − f3 (v) − f4 (v)
if u1 if u1 if u1 if u1 ◦
= u2 = 0, = 0, u2 = 1, = 1, u2 = 0, = u2 = 1.
(5)
Choose an arbitrary v and construct the function h ∈ F2 : h(0, 0) = 2−n/2 f1 (v), ◦ ◦ ◦ h(0, 1) = 2−n/2 f2 (v), h(1, 0) = 2−n/2 f3 (v), h(1, 1) = −2−n/2 f4 (v). By (5), the vth
12
S. Agievich / Bent Rectangles
h. Hence f satisfies restrictions on columns and f is column of f coincides with 2n/2−1 bent. Note that the function f (u1 , u2 , y) can take all the values 0, ±2n/2−1 , ±2n/2 and the Rothaus construction yields more subtle 4-row rectangles than we consider in the previous example. Example 8 (Carlet’s transformation). Let f ∈ B2n , E ⊂ V2n be an affine plane of dimension k ≥ n, and φE ∈ F2n be the support of E, that is, φE (x) = 1 if and only if x ∈ E. In [13, p. 94], Carlet obtained conditions on a function g defined by g(x) = f (x) + φE (x) to be bent. Let us prove yet another condition: g ∈ B2n if and only if fE ∈ Pk,2(k−n) , where fE is a restriction of f to E, that is, fE (y) = f (φ−1 (y)) for some affine bijection φ : E → Vk . Without loss of generality, assume that E = {(0, a) : a ∈ Vk }. Consider the rectangles f ∈ B2n−k,k and g ∈ F 2n−k,k . They differ only in the first row: f (0, v) = fE (v),
g(0, v) = −fE (v).
h′ (u) = h(u) = 2n−k f (u, v) and Let fE (v) = 0 for some v. Consider the normed rows 2n−k g(u, v). The functions h ∈ F2n−k and h′ differ only in signs of their (nonzero) ′ values at u = 0. Therefore, h ∈ F2n−k if and only if h(0) = ±22n−k . Under this condition, fE (v) = f (0, v) = 2k−n h(0) = ±2n .
Consequently, g is bent if and only if fE takes only the values 0, ±2n , that is, fE ∈ Pk,2(k−n) .
Example 9 (normal bent functions). Following [14], call a function f ∈ B2n (weakly) normal if its restriction to some n-dimesional plane is affine. In other words, f is normal if there exists an affine equivalent function g such that M (g) = max g(u, v) = 2n , u,v∈Vn
g ∈ Bn,n .
Using the affine classification of bent functions of 6 variables (see [1]), one can check that every f ∈ B6 is normal. We give a direct proof of this fact by applying the results of Section 3. d2 φ that takes Write φ ∼ α1d1 α d1 values α1 , d2 values α2 , and so 2 . . . for a function h ∼ 44 04 . Since all rows and columns h ∼ 61 27 or h ∼ 81 07 or on. If h ∈ F3 , then
of f ∈ B3,3 are in F3 , we have M (f ) ∈ {4, 6, 8}. Let M (f ) = 4. Applying the elementary transformations A1, A2 (i.e., permuting rows and columns) and B1, B2 (i.e., changing signs of rows and columns), we can arrange elements of f into one of the following cells:
44 , 40
4 4 , 4 −4
44 . 44
13
S. Agievich / Bent Rectangles
Then apply C1, C2:
4 4 C1 6 2 −−→ , 22 40
4 4 4 −4
C1
−−→
80 , 00
44 44
C2
−−→
80 4 4 C1 −−→ , 00 4 −4
and obtain a rectangle that takes the value ≥ 6. So it is sufficient to treat the case M (f ) = 6 only. In this case we proceed in a similar manner: A1, A2, B1, B2, C2
−−−−−−−−−−−−→
6 2 8 0 C1 −−→ , 2 −6 0 −4
and obtain a rectangle that takes the value 8, which is required. Example 10 (the number of bent functions). If g ∈ Pn,2 , that is, g(ai ) = 2n−1 χ(bi ) for some bi ∈ F2 and distinct ai ∈ Vn , i = 1, 2, 3, 4, then by Lemma 1 (i) a1 + a2 + a3 + a4 = 0, (ii) b1 + b2 + b3 + b4 = 1.
In [5], we proposed an algorithm to construct bent squares f ∈ B n,n all rows and n,2 . The algorithm arranges nonzero elements columns of which are elements of An ∪ P
in the matrix F subject to the condition (i) and defines signs of elements subject to (ii). Counting different outputs of the algorithm, we obtain constructive lower bounds for |Bn,n |. In particular, the algorithm provides 1559994535674013286400 > 270.4 dis-
tinct bent squares of B4,4 and, consequently, |B8 | > 270.4 . 5. Biaffine and Bilinear Bent Squares
Consider a mapping π : Vn × Vn → Vn . As previously, for a fixed v call the mapping u → π(u, v) a restriction of π to u, and for a fixed u call the mapping v → π(u, v) a restriction to v. Say that π is biaffine (bilinear) if all its restrictions to u and v are affine (linear) transformations of Vn . A biaffine mapping is nonsingular if all its restrictions are invertible. A bilinear mapping is nonsingular if all its restrictions to u for v = 0 and to v for u = 0 are invertible. Choose an arbitrary function g ∈ Fn and construct a bent square f ∈ B n,n such
that the corresponding matrix F consists almost only of the values of g permuted in ◦
some order and multiplied by elements of Zq . Informally speaking, we “scatter” values
of g over F . Relation (4) between the Walsh–Hadamard coefficients of affine equivalent functions allows us to make such a scattering using a nonsingular biaffine or bilinear mapping. The obtained constructions are given by the following two easily verified propositions.
Proposition 3 (biaffine bent squares). Let π be a nonsingular biaffine mapping Vn × Vn → Vn , g ∈ Fn , φ ∈ F2n , and all restrictions of φ(u, v) to u ∈ Vn and v ∈ Vn are affine functions. Then the square
14
S. Agievich / Bent Rectangles ◦
f (u, v) = φ(u, v) g (π(u, v)) is bent. Proposition 4 (bilinear bent squares). Let π be a nonsingular bilinear mapping Vn × Vn → Vn , g ∈ Fn , φ be defined as in the previous proposition, and h, h′ ∈ Fn be such that h(0) = h′ (0),
Then the square
◦
h(u) = φ(u, 0) g (0), f (u, v) =
◦
h′ (v) = φ(0, v) g (0),
h(0)
u, v ∈ Vn \ {0}.
if u = v = 0,
◦
φ(u, v) g (π(u, v)) otherwise
is bent. Note that any function of the form φ(u1 , . . . , un , v1 , . . . , vn ) =
n
αij ui vj +
i,j=1
n
βi ui +
i=1
n
γi vi + δ,
i=1
αij , βi , γj , δ ∈ Zq . satisfies the condition of the above propositions. Note also that in Proposition 4 we can easily construct h and h′ if g(0) = 0. Indeed, in this case it is sufficient to choose h = h′ ≡ c, c ∈ Zq . In Proposition 3 we can use the following nonsingular biaffine mapping π(u, v) = uA + vB + uC1 vT , . . . , uCn vT + d,
where d ∈ Vn and A, B, C1 , . . . , Cn are n × n matrices over Zq such that A + (C1 vT , . . . , Cn vT ) and B + (C1T uT , . . . , CnT uT ) are invertible for every v and u. Further, each nonsingular bilinear mapping π has the form π(u, v) = uAv ,
(6)
where Av are n × n matrices over Zq such that
(i) A0 = 0 and Av ∈ GLn for all nonzero v ∈ Vn ; (ii) Av+v′ = Av + Av′ for all v, v′ ∈ Vn .
Indeed, considering restrictions of π to u, we get (6). Since each such restriction for v = 0 must be invertible, Av ∈ GLn for all nonzero v. For each fixed u the mapping v → uAv must be linear. Therefore, uAv+v′ = u(Av + Av′ ) for all v and v′ , which yields (ii) and the first part of (i). Assume further that q is prime. The structure R = {Av : v ∈ Vn } is related to some concepts of projective geometry. Consider the following subspaces of V2n :
15
S. Agievich / Bent Rectangles
E∞ = {(0, v) : v ∈ Vn },
Ev = {(u, uAv ) : u ∈ Vn },
v ∈ Vn .
(7)
Every such subspace is of dimension n, the intersection of any two different subspaces is zero subspace, and, consequently, the union of the subspaces is V2n . A set of subspaces with these properties is called a spread of V2n . Observe that the condition (ii) is too strong for the set (7) to be a partial spread. We need only that A − A′ ∈ GLn for all distinct A, A′ ∈ R (with the additional property In ∈ R such a set R is called a quasifield). Spreads are used in the following well-known construction of bent functions. Example 11 (Dillon’s construction). Consider a spread (7) determined by a set R = {Av : v ∈ Vn }. Choose c ∈ Fq and an arbitrary function g ∈ Fn such that g(0) = c. In [2], Dillon actually proved that the function f ∈ F2n , c if x ∈ E∞ , f (x) = g(v) if x ∈ Ev ,
is regular bent. The corresponding bent square f ∈ B n,n has the form f (u, v) =
q n χ(c)
◦
y∈Vn g(y)χ(uAy · v)
if u = v = 0, otherwise.
We see that the Dillon’s bent squares are similar to the bilinear ones. In particular, if elements of R satisfy the conditions (i) and (ii), then the Dillon’s construction is covered by Proposition 3 under the choice h = h′ ≡ c, φ ≡ 0, π(u, v) = vBuT , where the matrices Bu are such that uAy = yBu for all u, y ∈ Vn . Remark that the Maiorana–McFarland’s bent squares can be represented in the form of Proposition 4 with the only change that g is necessarily affine. The simple form of g in this case allows to relax the conditions of the proposition: we can use an arbitrary φ and choose π(u, v) such that all its restrictions to u and v are bijections (not necessarily affine).
6. Partitioning Vn into Affine Planes Let q be prime and L be a linear subspace of Vn = Fnq of dimension r. Write the latter as L < Vn , dim L = r. Recall that the number of distinct r-dimensional subspaces of Vn is given by the Gaussian coefficient
(q n − 1)(q n−1 − 1) . . . (q n−r+1 − 1) n , = r q (q r − 1)(q r−1 − 1) . . . (q − 1)
0 ≤ r ≤ n.
Let E = L + b be an affine plane obtained by a shift of L by a vector b ∈ Vn . The plane E is the image of the affine mapping π : Vr → Vn , w → wA + b, under a suitable choice of the r × n matrix A over Fq of rank r.
16
S. Agievich / Bent Rectangles
Given g ∈ Fr , construct the function h ∈ Fn ,
h(x) = g xAT + b · x,
x ∈ Vn .
(8)
Call the transformation g → h a stretching of g to the plane E. Under the stretching h(v) =
◦
x∈Vn
= q −r
g(xAT )χ((b − v) · x)
x∈Vn w∈Vr
= q −r
w∈Vr
and, consequently,
g(w)
g(w)χ(xAT · w + (b − v) · x)
x∈Vn
χ((π(w) − v) · x)
q n−r g(π −1 (v)) if v ∈ E, h(v) = 0 otherwise.
(9)
Consider bent rectangles f ∈ Bm,n , m = n−r that have all rows of the form (9) and all columns in the set q r/2 Am . Such bent rectangles were first introduced by Carlet [15]
for the case q = 2. Note that after the transposition of f we obtain the rectangle f ∗ ∈
B n,m that corresponds to the so called (see [16]) partial affine bent function f ∗ ∈ Bn+m : each restriction of f ∗ (x, y) to x ∈ Vn is affine. Proposition 5 (partitions into affine planes). Let m, r be nonnegative integers, n = m + r, u ∈ Vm , v ∈ Vn , and q m gu (πu−1 (v)) if v ∈ Eu , f (u, v) = 0 otherwise,
where gu ∈ Br and πu are mappings Vr → Vn such that Eu = πu (Vr ) are affine planes of dimension r. If the planes {Eu } are nonintersecting and therefore determine a
partition of Vn , then f ∈ B m,n .
Example 12. Let q = 2. Choose the following partition of V4 into the planes of dimension 2: E(0,0) = {(0, 0, 0, 0), (0, 0, 0, 1), (0, 0, 1, 0), (0, 0, 1, 1)}, E(0,1) = {(0, 1, 0, 0), (0, 1, 0, 1), (1, 1, 0, 0), (1, 1, 0, 1)}, E(1,0) = {(0, 1, 1, 0), (0, 1, 1, 1), (1, 0, 0, 0), (1, 0, 0, 1)}, E(1,1) = {(1, 0, 1, 0), (1, 0, 1, 1), (1, 1, 1, 0), (1, 1, 1, 1)}. Using this partition, we construct the rectangle f ∈ B 2,4 with the matrix
17
S. Agievich / Bent Rectangles
⎛
⎞
±8 ±8 ±8 ±8 0 0 0 0 0 0 0 0 0 0 0 0 ⎜ 0 0 0 0 ±8 ±8 0 0 0 0 0 0 ±8 ±8 0 0 ⎟ ⎟ F =⎜ ⎝ 0 0 0 0 0 0 ±8 ±8 ±8 ±8 0 0 0 0 0 0 ⎠ 0 0 0 0 0 0 0 0 0 0 ±8 ±8 0 0 ±8 ±8
where signs of the elements are determined by unspecified bent functions gu ∈ B2 . It is convenient to assume that every one-element subset of a vector space is an affine plane of dimension 0 and that B0 = F0 . Then under r = 0 the above proposition gives us all Maiorana–McFarland’s bent squares. In general, Proposition 5 allows to construct (q m )!cq (n, m)|Bn−m |q
m
distinct regular bent functions of n+m variables. Here cq (n, m) is the number of distinct unordered partitions of Vn = Fnq into q m affine planes of dimension n − m. To obtain bounds on cq (n, m), consider some partition {E1 , E2 , . . . , Eqm } counted by cq (n, m). Let Ei = Li + bi , where Li < Vn , bi ∈ Vn , and W = L1 ∩ L2 ∩ . . . ∩ Lqm . Call the partition {Ei } primitive if W = {0}. Denote by c∗q (n, m) the number of distinct unordered primitive partitions of Vn into planes of dimension n − m. Suppose that {Ei } is not primitive, that is, d = dim W ≥ 1. Then Vn can be represented as the direct sum U ⊕ W , U < Vn , dim U = n − d, and each plane Ei takes the form {u + w : u ∈ Ei′ , w ∈ W }, where Ei′ = Ei ∩ U is an affine plane of U of dimension n − m − d. The planes E1′ , E2′ , . . . , Eq′ m determine a primitive partition of U . There are c∗q (n − d, m) ways to choose such a partition, nd q ways to choose W and, consequently, cq (n, m) =
n−m
d=0
n c∗ (n − d, m). d q q
(10)
Denote by Li + Lj the subspace of Vn consisting of the sums v + v′ , where v runs over Li and v′ runs over Lj . For each distinct i, j ∈ {1, 2, . . . , q m } we have dim(Li ∩ Lj ) = dim Li + dim Lj − dim(Li + Lj ) ≥ (n − m) + (n − m) − n = n − 2m. If dim(Li ∩ Lj ) = n − 2m, then Li + Lj = Vn and bj − bi = v + v′ for some v ∈ Li , v′ ∈ Lj . It means that |Ei ∩ Ej | = |Li ∩ (Lj + v + v′ )| = |(Li − v) ∩ (Lj + v′ )| = |Li ∩ Lj | =
0, a contradiction. Hence dim(Li ∩ Lj ) ≥ n − 2m + 1.
(11)
18
S. Agievich / Bent Rectangles
Under m = 1 this inequality yields that L1 = . . . = Lq = W , where dim W = n − 1. Therefore, c∗q (1, 1) = 1, c∗1 (n, 1) = 0 for n ≥ 2, and cq (n, 1) =
qn − 1 n . c∗q (1, 1) = n−1 q q−1
For the case q = 2 we also obtain the estimate
1 n n = (2n − 1)(2n−1 − 1)(7 · 2n−1 − 13) + 98 c2 (n, 2) = n−3 2 n−2 2 3 (cf. Example 6) using the following result. Lemma 2. c∗2 (2, 2) = 1, c∗2 (3, 2) = 98, and c∗2 (n, 2) = 0 for n ≥ 4. Proof. The first equality is trivial. Further, if q = 2 then each partition of V3 into two8! element subsets is also the partition into affine planes. There are 4!2 4 = 105 such distinct (unordered) partitions and
3 ∗ c∗ (2, 2) = 98 c2 (3, 2) = 105 − 1 2 2 of them are primitive. We prove the third equality by a contradiction. Suppose that n ≥ 4 and {Ei = Li +bi : i = 1, 2, 3, 4} is a primitive partition of Vn into planes of dimension n−2. Let us analyze the properties of such hypothetical partition which help to reveal a contradiction. A. Let U = L1 + L2 + L3 + L4 . Prove that U = Vn . Note that dim U ≥ dim L1 = n − 2. If dim U = n − 2, then L1 = L2 = L3 = L4 and the partition {Ei } is not primitive for n ≥ 3. Suppose that dim U = n − 1 and let, without loss of generality, U = {(x, 0) : x ∈ Vn−1 }. Denote Ui = Ei ∩ U . Since {Ei } is a partition, Ei = Ui + (0, . . . , 0, bi ) for some bi ∈ F2 , where there are two 0’s and two 1’s among {bi }. Assume for simplicity that b1 = b2 and therefore b3 = b4 . Then U1 ∪ U2 = Vn−1 and U3 ∪ U4 = Vn−1 . As we show later, this yields L1 = L2 and L3 = L4 . Now using (11) we obtain dim(L1 ∩ L2 ∩ L3 ∩ L4 ) = dim(L1 ∩ L3 ) ≥ n − 3 and the partition {Ei } is not primitive for n ≥ 4. B. Prove that dij = dim(Li ∩ Lj ) = n − 3 for all 1 ≤ i < j ≤ 4. By (11), dij ∈ {n − 3, n − 2}. Suppose that dij = n − 2 for some i and j, say for i = 3 and j = 4. Then L3 = L4 , dim(L1 ∩ L2 ∩ L3 ∩ L4 ) = dim(L1 ∩ L2 ∩ L3 ) = dim(L1 + L2 + L3 ) −
dim Li +
≥ n − 3(n − 2) + 3(n − 3) = n − 3, and the partition {Ei } is not primitive for n ≥ 4.
dij
19
S. Agievich / Bent Rectangles
C. Prove that dijk = dim(Li ∩ Lj ∩ Lk ) ∈ {n − 4, n − 3} for all 1 ≤ i < j < k ≤ 4 and moreover dijk = n − 3 for n > 4. Indeed, dijk ≤ dij = n − 3 and dijk = dim Li + dim(Lj ∩ Lk ) − dim(Li + (Lj ∩ Lk )) ≥ (n − 2) + (n − 3) − dim(Li + Lj ) = n − 4. If some coefficient dijk is equal to n − 3, say d123 = n − 3, then dim((L1 ∩ L2 ∩ L3 ) + L4 ) = d123 + dim L4 − dim(L1 ∩ L2 ∩ L3 ∩ L4 ) = (n − 3) + (n − 2) + 0 = 2n − 5. On the other hand, dim((L1 ∩ L2 ∩ L3 ) + L4 ) ≤ dim(L1 + L4 ) = n − 1 and we obtain the inequality 2n − 5 ≤ n − 1, which does not hold for n > 4. Putting A, B, and C together, we get dim(L1 ∩ L2 ∩ L3 ∩ L4 ) =
dim Li −
dij +
= 4(n − 2) − 6(n − 3) +
dijk − dim dijk − n
Li
≥ 4(n − 2) − 6(n − 3) + 4(n − 4) − n = n − 6.
Consequently, the partition {Ei } is primitive only if n ≤ 6 and dijk = 3n − 10. We need to check these conditions. If n = 4, then two coefficients dijk are equal to n − 3 = 1, say d123 = d124 = 1. Then dim(L1 ∩ L2 ∩ L3 ∩ L4 ) = 1, a contradiction. If n = 5, then there exists dijk = n − 3 = 2, a contradiction to the second part of C. Finally, if n = 6, then dim(L1 ∩ L3 ) = dim L1 + dim L3 − dim(L1 + L3 ) ≤ 8 − dim((L1 ∩ L2 ) + (L3 ∩ L4 )) = 8 − (dim(L1 ∩ L2 ) + dim(L3 ∩ L4 ) − dim(L1 ∩ L2 ∩ L3 ∩ L4 )) = 8 − (3 + 3 − 0) = 2 that contradicts B. The above lemma allows to find all partitions of Vr+2 into planes of dimension r. This will be done in the proof of the next result. Proposition 6. Let q = 2, r ≥ 2, f ∈ B2,r+2 be constructed by Proposition 5 and f (u, x), u ∈ V2 , x ∈ Vr+2 , be a corresponding bent function. Then f can be transformed into one of the following functions:
20
S. Agievich / Bent Rectangles
g(u, x) = u1 u2 (g1 (x3 , y) + g2 (x3 , y) + g3 (x3 , y) + g4 (x3 , y)) + u1 (g1 (x3 , y) + g2 (x3 , y) + x2 ) + u2 (g1 (x3 , y) + g3 (x3 , y) + x1 ) + g1 (x3 , y),
(12)
g(u, x) = u1 u2 (g1 (x3 , y) + g2 (x3 , y) + g3 (x2 , y) + g4 (x2 , y) + x2 + x3 ) + u1 (g1 (x3 , y) + g2 (x3 , y) + x2 ) + u2 (g1 (x3 , y) + g3 (x2 , y) + x1 ) + g1 (x3 , y),
(13)
g(u, x) = u1 u2 (g1 (x3 , y) + g2 (x1 , y) + g3 (x1 + x2 + x3 , y) + g4 (x2 , y) + x1 ) + u1 (g1 (x3 , y) + g2 (x1 , y) + x2 ) + u2 (g1 (x3 , y) + g3 (x1 + x2 + x3 , y) + x2 + x3 ) + g1 (x3 , y),
(14)
where x = (x1 , x2 , x3 , y), y ∈ Vr−1 , gi ∈ Br , by affine permutations acting only on the variables u or x. Proof. Consider partitions of V3 into planes of dimension 1. Denote such a plane {b, b+ e} by [b, e]. Let ei be the vector of V3 having only the ith coordinate nonzero. It is easy to check that every partition of V3 can be transformed into one of the following {[0, e3 ], [e2 , e3 ], [e1 , e3 ], [e1 + e2 , e3 ]}, {[0, e3 ], [e2 , e3 ], [e1 , e2 ], [e1 + e3 , e2 ]}, {[0, e3 ], [e2 , e1 ], [e2 + e3 , e1 + e2 + e3 ], [e1 + e3 , e2 ]} by an affine permutation of coordinates. Choose some of these partitions, replace each its plane [b, e] by [b, e] ⊕ Vr−1 = {(b, 0) + α(e, y) : α ∈ F2 , y ∈ Vr−1 } and obtain the partition of Vr+2 into the planes of dimension r. Call such a partition canonical (for example, a canonical partition was used in Example 12). Lemma 2 implies that each partition of Vr+2 can be transformed into some canonical one by an affine permutation of coordinates. Define a canonical ordering on planes of a partition such that if a plane P precedes a plane Q, then min P lexicographically precedes min Q, where minima are taken w.r.t. the lexicographical order (cf. Example 12). Let a bent rectangle f be constructed by Proposition 5 using a partition {Eu }. By
an affine permutation of columns of f , the partition {Eu } can be transformed into some canonical one and by an affine permutation of rows, the canonical ordering of planes can be achieved. Thus, it is sufficient to consider bent rectangles g built by the canonical partitions {Eu } under the canonical ordering and determine the corresponding bent
S. Agievich / Bent Rectangles
21
functions g(u, x). To do this, we can use the stretching equations (8), (9) to calculate the restrictions of g to x and then utilize the representation g(u1 , u2 , x) =
(u1 + α1 + 1)(u2 + α2 + 1)g(α1 , α2 , x).
α1 ,α2 ∈F2
For example, if g is built by the third canonical partition, then its restrictions to x look as follows: g(0, 0, x) = g1 (x3 , y), g(0, 1, x) = g2 (x1 , y) + x2 , g(1, 0, x) = g3 (x1 + x2 + x3 , y) + x2 + x3 , g(1, 1, x) = g4 (x2 , y) + x1 + x3 and we obtain (14). It is interesting that if f ∈ B2,r+2 is constructed by Proposition 5 and f1 (x), f2 (x), f3 (x), f4 (x) are the restrictions of f (u, x) to x, then all the functions fi + fj , 1 ≤ i < j ≤ 4, are balanced, that is, they take the values 0 and 1 equally often. Indeed, if g(u, x) has one of the forms (12)–(14), then each sum of two its distinct restrictions to x is balanced. This easily follows from the form of g, the fact that h(x) = h∗ (x1 , . . . , xk−1 , xk+1 , . . . , xr+2 ) + xk , and all derived functions σ(h)(x), σ ∈ AGLr+2 , are balanced. By Proposition 6, f can be obtained from g by separate affine permutations of u and x. But a permutation of u only rearranges the restrictions, and a permutation of x does not change the balance of their sums.
7. Conclusion The author plans to continue this paper and discuss the duality between bent functions, the properties of bent rectangles with a small number of rows, and the affine classification of cubic Boolean bent functions.
References [1] O.S. Rothaus, On “bent” functions, J. Comb. Theory A 20 (1976), 300–305. [2] J. Dillon, A survey of bent functions, NSA Technical Journal, Special Issue (1972), 191–215. [3] C. Carlet, Recent results on binary bent functions, J. of Combinatorics, Information and System Sciences 24 (1999), 275–291. [4] H. Dobbertin and G. Leander, A survey of some recent results on bent functions, Sequences and Their Applications: Third International Conference (SETA’2004, Seoul, Korea, October 24–28, 2004), Lecture Notes in Computer Science 3486 (2005), Springer, 1–29. [5] S. Agievich, On the representation of bent functions by bent rectangles, Probabilistic Methods in Discrete Mathematics: Fifth International Conference (Petrozavodsk, Russia, June 1–6, 2000), Utrecht, Boston: VSP, 2002, 121–135. [6] C.A. Adams and S.E. Tavares, Generating and counting binary bent sequences, IEEE Trans. on Inform. Theory IT-36 (1990), 1170–1173.
22
S. Agievich / Bent Rectangles
[7] A. Canteaut and P. Charpin, Decomposing bent functions, IEEE Trans. on Inform. Theory IT-49 (2003), 2004–2019. [8] H. Dobbertin and G. Leander, Cryptographer’s Toolkit for Construction of 8-Bit Bent Functions, Cryptology ePrint Archive, Report 2005/089, http://eprint.iacr.org/. [9] P.V. Kumar, R.A. Scholtz, and L. R. Welch, Generalized bent functions and their properties, J. of Comb. Theory A 40 (1985), 90–107. [10] B.L. van der Waerden, Algebra II, Springer-Verlag, Berlin, Heidelberg, New York, 1967. [11] Y. Zheng and X.M. Zhang, Plateaued functions, Information and Communication Security: Second International Conference (ICICS’99, Sydney, Australia, November 9–11, 1999), Lecture Notes in Computer Science 1726, Springer, 284–300. [12] B. Preneel, W. Van Leekwijck, L. Van Linden, R. Goevarts, and J. Vanderwalle, Propagation characteristics of Boolean functions, Proc. of EUROCRYPT’90 (Aarhus, Denmark, May 21–24, 1990), Lecture Notes in Computer Science 437 (1991), Springer, 161–173. [13] C. Carlet, Two new classes of bent functions, Proc. of EUROCRYPT’93 (Lofthus, Norway, May 23–27, 1993), Lecture Notes in Computer Science 765 (1994), Springer, 77–101. [14] H. Dobbertin, Construction of bent functions and balanced Boolean functions with high nonlinearity, Fast Software Encryption: Second International Workshop (Leuven, Belgium, December 14–16, 1994), Lecture Notes in Computer Science 1008 (1995), Springer, 61–74. [15] C. Carlet, On the confusion and diffusion properties of Maiorana–McFarland’s and extended Maiorana– McFarland’s functions, Special Issue “Complexity Issues in Coding and Cryptography”, dedicated to Prof. H. Niederreiter on the occasion of his 60th birthday, J. of Complexity 20 (2004), p. 182–204. [16] O.A. Logachev, A.A. Salnikov, and V.V. Yashchenko, Bent functions and partitions of a Boolean cube, Formal Power Series and Algebraic Combinatorics: 12th International Conference (FPSAC’00, Moscow, Russia, June 26–30, 2000), 2000, 43–48 (In Russian).
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-23
23
On Algebraic Algorithms Deciding Properties of Discrete Functions1 Valeriy ALEKSEEV Lomonosov University, Moscow, Russia Abstract. In this paper we introduce the notion of logical semiring and give examples of using such semirings in designing fast algorithms for discrete problems. Keywords. Algorithm, complexity, Boolean function, discrete function
Algorithms for combinatorial problems usually exploit only combinatorial methods and sometimes it is a hard problem to enhance the efficiency of such algorithms in this setting. Conversion of a combinatorial problem into an algebraic problem can open a possibility to use powerful algebraic transformations and can help in searching for algorithms with less complexity. This paper explores some conversions of such kind and gives some examples of using such transformations. We consider here the problem of deciding properties of Boolean and other discrete (k-valued) functions. It is well known that the complexity of this problem depends essentially on the representation of its instances. Consider the following example. Let S and S1 be any finite posets and let R(y1 , y2 ) and R1 (y1 , y2 ) be the partial order relations over S and S1 , respectively. Define the relation Rn over Cartesian degree α = (α1 , . . . , αn ) | ∀ i αi ∈ S} as follows S n = { , β ≡ ∀ j R(αj , βj ). Rn α
(1)
, β ∈ S n the following Then a mapping f : S n → S1 is said to be monotone iff for any α implication holds , β =⇒ R1 f ( α), f β . Rn α
(2)
Consider the problem of checking if a given Boolean function f is monotone. The complexity of this problem depends essentially on the representation chosen. If functions are specified by formulas then this problem is NP-complete. If they are represented only by polynomials then there exists an algorithm for this problem with polynomial complexity. In what follows we consider the representation of Boolean and other discrete functions by strings of their values according to some fixed order of all tuples of values of variables. As the model of computation, one can use RAM machines [1], but for simplisity we consider nonuniform case. Namely, we consider deciding properties of functions by 1 This work was partially supported by the Russian Foundation for Basic Research (grants no. 06-01-00438, 07-01-00154).
24
V. Alekseev / On Algebraic Algorithms Deciding Properties of Discrete Functions
families of Boolean circuits. Each circuit solves this problem for all functions with a fixed number of variables. Input of such a circuit is a string of values of a function (binary codes of this values in the case k-valued functions) and output is equal to 1 (“yes”) or to 0 (“no”). Complexity measure is defined to be the size of this Boolean circuit. Let a function f : S n → S1 be specified by the string of all its values and we are to check if f is monotone. One can simply check implication (2) for all pairs α ∈ S n , β ∈ S n and then take the conjunction of all the results. If we denote |S|n = N (this is of the same order as the length of input), then the number of such verifications is N 2 . Using the transitivity we can only check those pairs α ∈ S n , β ∈ S n that differ only in one position reducing the number of verifications to O(N n) = O(N log N ). Using a more sophisticated √technique Voronenko [2] designed an algorithm for this problem with complexity O(N log N log log N ). But if we generalize this problem a little then the situation is not that simple. Let now R(y1 , y2 ) and R1 (y 1 , y2 ) be arbitrary relations over sets S and S1 , ren , β over S n by (1). By U (R, R1 ) we denote the set of spectively. Define the R α n all functions f : S → S1 satisfying (2). Consider again the problem: given f , decide whether f ∈ U (R, R1 ). For simplicity, let S = {0, 1, . . . , k − 1}, S n be ordered lexicographically, and f be specified by the string of all its values according to this order. Let N = k n . For this problem, also there is an algorithm with complexity O(N 2 ), but it is not that simple to reduce this complexity in general. The next theorem shows how to find a faster algorithm using a simple reduction of this decision problem to evaluating algebraic expression. Theorem 1. For fixed relations R over S and R1 over S1 there is an algorithm with bit complexity O(N log N ) that decides whether f ∈ U (R, R1 ). Proof. Statement f ∈ / U (R, R1 ) can be represented by the following logical formula ∃α = (α1 , . . . , αn ) ∃ β = (β1 , . . . , βn )
. α), f β ∀ j R(αj , βj ) & ¬R1 f (
This formula can be transformed into the form
∃ p(∈ S1 ) ∃ q(∈ S1 ) ∃ α ∃ β ∀ j R(αj , βj ) & (f ( α) = p) & f β = q & ¬R1 (p, q) .
Since quantifiers are over finite sets, one can replace them by disjunctions and conjunctions: R(α1 , β1 )R(α2 , β2 ) · · · R(αn , βn )(f ( α) = p) f β = q . (p,q):¬R1 (p,q) α
β
Since the first disjunction is over a finite set and complexity of computing logical values of all “f ( α) = p” and “f β = q” is O(N ) for fixed p, q, one needs only to prove that expression
V. Alekseev / On Algebraic Algorithms Deciding Properties of Discrete Functions
α
β
25
(3)
R(α1 , β1 ) · · · R(αn , βn )xα yβ
for a given setting of variables xα , yβ can be evaluated with bit complexity O(N log N ). But now we can use algebraic transformations. Denote (α 0 and (β1 , . . . , βn−1 ) by β0 , so that α = ( α0 , αn ), 1 , . . . , αn−1 ) by α β = β0 , βn . Then (3) can be written as: α 0 β 0
R(α1 , β1 ) · · · R(αn−1 , βn−1 )
=
=
α 0 β 0
αn α 0 β 0
=
αn
αn β n
R(αn , βn )xα 0 ,αn yβ0 ,βn
R(α1 , β1 ) · · · R(αn−1 , βn−1 )
αn
xα 0 ,αn
R(α1 , β1 ) · · · R(αn−1 , βn−1 )xα 0 ,αn
βn :R(αn ,βn )
βn :R(αn ,βn )
⎛ ⎝ R(α1 , β1 ) · · · R(αn−1 , βn−1 )xα 0 ,αn z
β0 ,αn
α 0 β 0
⎞
yβ0 ,βn yβ0 ,βn
⎠
where zβ0 ,αn = βn :R(αn ,βn ) yβ0 ,βn . The expression in parentheses for a fixed αn is again of the form (3). Thus we have reduced our problem for n to k similar problems for n − 1. Let L(N ) = L1 (n) be the minimum bit complexity of computing (3). Because calculation of all zβ0 ,αn and taking the disjunction over αn take at most O(k n ) operations, we have L1 (n) ≤ kL1 (n − 1) + O(k n ). Substituting N for n, one can rewrite this as L(N ) ≤ kL
N k
+ O(N ).
It is well known [1] and easy to show that the last inequality implies L(N ) = O(N log N ). In the proof of Theorem 1 we used Boolean algebra over {0, 1} with operations of disjunction and conjunction. Now we turn to ideas that provide for opportunity to use more powerful algebras. Definition 1. A set A with two operations + and · is said to be a commutative semiring iff the following holds for all its elements: 1) a + b = b + a, ab = ba; 2) (a + b) + c = a + (b + c), (ab)c = a(bc); 3) (a + b)c = (ac) + (bc).
26
V. Alekseev / On Algebraic Algorithms Deciding Properties of Discrete Functions
Example 1. The set {0, 1} with operations of disjunction and conjunction is a commutative semiring. This semiring is denoted by S2 . Definition 2. A commutative semiring A is said to be logical iff there is a homomorphism of A onto S2 . If A0 and A1 are preimages of 0 and 1 w.r.t. such a homomorphism then we denote this logical semiring by (A0 , A1 ). Note: if (A0 , A1 ) is a logical semiring then A0 can be considered as generalized false and A1 can be considered as generalized truth. In this setting operations of addition and multiplication in A0 ∪ A1 can be considered as disjunction and conjunction. Example 2. Let N be the set of all natural numbers. Then (0, N) with usual operations of addition and multiplication is a logical semiring because it is easy to see that for a, b ∈ N ∪ {0} we have a + b ∈ N iff a ∈ N or b ∈ N and a · b ∈ N iff both a ∈ N and b ∈ N. Example 3. Let Z0 (ǫ), Z+ (ǫ) be the set of all polynomials in ǫ with integer coefficients and free terms equal to 0 (respectively, from N). Then (Z0 (ǫ), Z+ (ǫ)) with usual operations of addition and multiplication is a logical semiring. Example 4. Let A0 ∪ A1 be any linearly ordered set and a < b for all a ∈ A0 , b ∈ A1 . Then (A0 , A1 ) with operations max and min is a logical semiring. The main idea of using logical semirings is as follows. Let we have to evaluate some expression T over S2 . We can instead consider some logical semiring (A0 , A1 ) and replace all 0 by any element from A0 all 1 by any element from A1 and evaluate the resulting expression T ′ over (A0 , A1 ). If the result is in A0 then T = 0, otherwise T = 1. Moreover, we can make computations not only over (A0 , A1 ), but over any semiring A ⊇ A0 ∪ A1 and use a more suitable algebraic structure of A (for example we can use Z instead of (0, N)). Let now S = {0, 1}, S1 be arbitrary finite set and consider all f : S n → S1 . Let α = R(y1 , . . . , ym ) be any relation over S. Then define the relation Rn over S n = { (α1 , . . . , αn ) | ∀ i αi ∈ S} as follows . . . , δ ≡ ∀ j R(αj , βj , . . . , δj ). , β, Rn α
If R1 (y1 , . . . , ym ) is any relation over S1 then define the set U (R, R1 ) to be the set of all functions f : S n → S1 satisfying the implication Rn ( α1 , . . . , α m ) =⇒ R1 (f ( α1 ), . . . , f ( αm ))
(4)
for any α 1 , . . . , α m in S n . (Note: the sets of type U (R, R1 ) are used extensively in Boolean and multiple-valued logics.) Consider now the set U (R, R1 ) where R1 (y1 , y2 , y3 , y4 ) is arbitrary relation over S1 and R(y1 , y2 , y3 , y4 ) is the next relation over S: R(y1 , y2 , y3 , y4 ) ≡ (y1 + y2 + y3 + y4 = 0 (mod 2)).
V. Alekseev / On Algebraic Algorithms Deciding Properties of Discrete Functions
27
(Note: if S1 = S and R1 = R, then U (R, R1 ) is the set of all linear Boolean functions.) Algorithm for deciding whether f ∈ U (R, R1 ) based on implication (4) has complexity of order at least N 4 , where N = 2n and n is the number of variables. Theorem 2. Let f (x1 , . . . , xn ) be specified by string of all its values. Then there exists an algorithm with bit complexity O(N log3 N ) for deciding whether f ∈ U (R, R1 ). Proof. According to (4), the property f ∈ / U (R, R1 ) can be represented in the following form: ∃α ∃ β ∃ γ ∃ δ
γ ), f δ α), f β , f ( Rn (α, β, γ, δ) & ¬R1 f (
In the same way as in Theorem 1, we can reduce this problem to evaluating over S2 the following expression:
T =
α
γ
β
δ
R(α1 , β1 , γ1 , δ1 ) & · · · & R(αn , βn , γn , δn )xα yβ zγ vδ .
But now we replace T , which is defined over S2 , by the following expression T ′ over the logical semiring (0, N): T′ =
α
β
γ
δ
t(α1 , β1 , γ1 , δ1 ) · · · t(αn , βn , γn , δn )xα yβ zγ vδ
where t(α, β, γ, δ) = 0 if R(α, β, γ, δ) is false and t(α, β, γ, δ) = 2 if R(α, β, γ, δ) is true. Now one only needs to evaluate T ′ because T ′ > 0 if and only if T = 1. It is easy to see that 1 1 1 1
t(α, β, γ, δ)xα yβ zγ vδ
α=0 β=0 γ=0 δ=0
= (x0 + x1 )(y0 + y1 )(z0 + z1 )(v0 + v1 ) + (x0 − x1 )(y0 − y1 )(z0 − z1 )(v0 − v1 ). Thus if we denote (α1 , . . . , αn−1 ) by α 0 , (β1 , . . . , βn−1 ) by β0 , (γ1 , . . . , γn−1 ) by γ 0 , ′ and (δ1 , . . . , δn−1 ) by δ0 , then we can transform T over Z as follows:
28
V. Alekseev / On Algebraic Algorithms Deciding Properties of Discrete Functions
T′ =
α 0
× =
0 β
γ 0
0 δ
1 1 1 1
αn =0 βn =0 γn =0 δn =0
α 0
t(α1 , β1 , γ1 , δ1 ) · · · t(αn−1 , βn−1 , γn−1 , δn−1 )
0 β
γ 0
0 δ
t(αn , βn , γn , δn )xα 0 ,αn yβ0 ,βn zγ0 ,γn vδ0 ,δn
t(α1 , β1 , γ1 , δ1 ) · · · t(αn−1 , βn−1 , γn−1 , δn−1 )
× (xα 0 ,0 + xα 0 ,1 ) yβ0 ,0 + yβ0 ,1 (zγ0 ,0 + zγ0 ,1 ) vδ0 ,0 + vδ0 ,1 ! + (xα 0 ,0 − xα 0 ,1 ) yβ0 ,0 − yβ0 ,1 (zγ0 ,0 − zγ0 ,1 ) vδ0 ,0 − vδ0 ,1 .
− − − + + + − Let xα 0 ,0 + xα 0 ,1 = x+ 0 ,0 − xα 0 ,1 = xα 0 be defined 0 , vδ 0 , zγ 0 , yβ 0 , vδ 0 , zγ 0 and yβ α 0 , xα similarly. Then
T′ = +
α 0
0 β
γ 0
0 δ
α 0
0 β
γ 0
0 δ
+ + + t(α1 , β1 , γ1 , δ1 ) · · · t(αn−1 , βn−1 , γn−1 , δn−1 )x+ 0 v α 0 y zγ β0
δ0
− − − t(α1 , β1 , γ1 , δ1 ) · · · t(αn−1 , βn−1 , γn−1 , δn−1 )x− 0 v . α 0 y zγ β0
δ0
Let L(N ) = L1 (n) be the minimum number of arithmetic operations over Z required for evaluating T ′ . Then we have L1 (n) ≤ 2L1 (n − 1) + O(2n ) − − − − + + + n because computing of all x+ 0 takes at most O(2 ) 0 , vδ 0 , zγ 0 , yβ 0 , xα 0 , vδ 0 , zγ α 0 , yβ operations. Using N = 2n , one can rewrite this as
L(N ) ≤ 2L
N 2
+ O(N ).
It is well known [1] that the last inequality implies L(N ) = O(N log N ). Our algorithm for evaluating T ′ is described as recursive. We have n = log2 N cycles of recursion and the length of all integers can increase at most by a constant in each step. Thus the length of all integers in this algorithm is O(log N ) and the number of bit operations is O(N log N ) · O(log2 N ) = O(N log3 N ). In the proof of the above theorem we used the logical semiring (0, N) and calculations were in its extension, namely, the set of integers. In the next example we use the same logical semiring (0, N), but calculations are over the complex numbers. Consider the set P2∗ of all partial Boolean functions (“partial” means that function can take values 0, 1 or ∗ (undefined)). A set A of partial Boolean functions is said to be complete iff any function in P2∗ can be represented by a formula over A. Consider the problem of checking completeness of a given set A of partial Boolean functions. It is well known that the same problem for the set P2 of all total Boolean functions reduces
V. Alekseev / On Algebraic Algorithms Deciding Properties of Discrete Functions
29
to checking if a given function belongs to one of 5 special classes (Post theorem). If functions are specified by strings of their values then for 4 of these classes this can be done with complexity O(N ). The last is the class of all monotone Boolean functions and by the result of Voronenko [2] one can check if a Boolean function is monotone with √ complexity O(N log N log log N ). From this result it follows √ that we can check if the set of Boolean functions is complete with complexity O(N log N log log N ). Consider now the problem of checking completeness of a set of partial Boolean functions. Let R(y1 , . . . , ym ) be any relation over E2 = {0, 1}. Then we define the relation R∗ (y1 , . . . , ym ) over {0, 1, ∗} as follows: R∗ (y1 , . . . , ym ) ≡ ∃ j (yj = ∗) ∨ R(y1 , . . . , ym ). Consider the following relations over E2 : R1 (y) ≡ (y = 0); R2 (y) ≡ (y = 1); R3 (y1 , y2 ) ≡ (y1 = 0) & (y2 = 1); R4 (y1 , y2 ) ≡ (y1 ≤ y2 ); R5 (y1 , y2 ) ≡ (y1 = y2 ); R6 (y1 , y2 , y3 , y4 ) ≡ y1 + y2 + y3 + y4 = 0 (mod 2); R7 (y1 , y2 , y3 , y4 ) ≡ (y1 = y2 ) & (y3 = y4 ) ∨ (y1 = y3 ) & (y2 = y4 ). Let also ∗ denote nowhere defined function. Theorem 3 (Freivald [3]). A set A of partial Boolean functions is complete if and only if it does not belong to any of the following 8 classes: P2 ∪{∗}, U (Ri , Ri∗ ), i = 1, 2, . . . , 7. Note that classes U (Ri , Ri ), i = 1, 2, 4, 5, 6, in P2 are Post classes of functions preserving 0, preserving 1, monotone functions, self-dual functions and linear functions. Classes U (Ri , Ri∗ ), i = 1, 2, 4, 5, in P2∗ are classes of partially defined Boolean functions that can be extended to total Boolean function of corresponding Post class. But this does not hold for U (R6 , R6∗ ). If L is the set of all linear Boolean functions and L∗ is the set of all partially defined Boolean functions that can be extended to linear Boolean functions then there exists a continuum of closed classes between L and L∗ as well as between L∗ and U (R6 , R6∗ ) [4]. Algorithm for checking if function belongs to one of the 8 Freivald classes based on implication (4) has complexity at least of order N 4 . One can prove the next theorem. Theorem 4. If partial Boolean functions are represented by strings of their values then for checking the completeness of a system A of partial Boolean functions there exists an algorithm with bit complexity O(N log2 3 log N log log N log log log N ), where N is the total length of the strings representing all functions from A. Proof. According to Theorem 3 one only needs to check for each of the 8 Freivald classes if all functions of the set A belong to this class. By Theorems 1 and 2 one can check if a function belongs to one of first 6 classes with complexity O(N log N ) and if it belongs to U (R6 , R6∗ ) with complexity O(N log3 N ). The only problem is to check if a function belongs to the last class U (R7 , R7∗ ). The predicate R7 is true only for 6 tuples of length 4. Thus the predicate R7n is true for 6n = (2n )log2 6 tuples of 4 strings of length n. Hence if a function has n variables and we check implication (4) for U (R7 , R7∗ ) only when the left-hand side of implication log 6 is true then we can reduce the complexity of checking for one function to O(N1 2 ) n log2 6 ). Further reduction is not that simple. where N1 = 2 and for all functions to O(N Let λ be a complex root of the equation λ2 + λ + 1 = 0 (this means that λ3 = 1). It is easy to check that
30
V. Alekseev / On Algebraic Algorithms Deciding Properties of Discrete Functions
(x0 + x1 )(y0 + y1 )(z0 + z1 )(t0 + t1 ) + (x0 + λx1 ) y0 + λ2 y1 z0 + λ2 z1 (t0 + λt1 ) + x0 + λ2 x1 (y0 + λy1 )(z0 + λz1 ) t0 + λ2 t1 = hijrs xi yj zr ts
(5)
with hijrs = 3 if R7 (ijrs) is true and hijrs = 0 if R7 (ijrs) is false. So we can use the logical semiring (0, N) and proceed almost along the same lines as we have done in the proof of Theorem 2. Thus one can reduce the problem of checking if f (x1 , . . . , xn ) belongs to U (R7 , R7∗ ) to evaluating some algebraic expression and then reduce this problem for n to 3 similar problems for n−1 using (5). Therefore, if N1 = 2n , for the number of arithmetic operations we have L(N1 ) ≤ 3L
N1 2
+ O(N1 ),
log 3 from which it follows [1] that L(N1 ) = O N1 2 . We can use in our calculations only numbers a + λb with integer a and b and code them by pairs of integers in binary representation. We have log2 N1 iteration steps. Thus the lengths of codes of all numbers in algorithm are O(log N1 ) = O(log N ). We can add or multiply such numbers with O(log N log log N log log log N ) bit operations [1]. So the total number ofbit operations log 3 for one function in n variables is O N1 2 log N log log N log log log N . Because for
function f (x) = xlog2 3 we have f (x1 ) + f (x2 ) ≤ f (x1 + x2 ), the total number of bit operations for all functions is O N log2 3 log N log log N log log log N
Now consider an example where a more powerful logical semiring of polynomials is used. Let S = {0, 1}, S1 be arbitrary finite set and consider all f : S n → S1 . Consider the set U (R, R1 ), where R1 (y1 , y2 , y3 ) is arbitrary relation over S1 and R(y1 , y2 , y3 ) is the following relation over S: R(y1 , y2 , y3 ) ≡ (y1 + y2 + y3 ≥ 2). Algorithm for deciding whether f ∈ U (R, R1 ) based on implication (4) has complexity of order at least N 3 where N = 2n and n is the number of variables. Theorem 5. Let f (x1 , . . . , xn ) be specified by the string of all its values. Then there exists an algorithm with bit complexity O(N log5 N ) for deciding whether f ∈ U (R, R1 ). Proof. Let Z0 (ǫ), Z+ (ǫ) be the sets of all polinomials in ǫ with integer coefficients and free terms equal to 0 (respectively, from N). Then the pair (Z0 (ǫ), Z+ (ǫ)) with usual operations of addition and multiplication is a logical semiring. As in the proof of Theorem 2, one can reduce the problem of deciding whether f (x1 , . . . , xn ) ∈ U (R, R1 ) to evaluating over (Z0 (ǫ), Z+ (ǫ)) the following expression: T′ =
α
β
γ
t(α1 , β1 , γ1 ) · · · t(αn , βn , γn ) · xα yβ zγ ,
31
V. Alekseev / On Algebraic Algorithms Deciding Properties of Discrete Functions
where Z0 (ǫ) t(α, β, γ) ∈ Z+ (ǫ)
if R(α, β, γ) is false, if R(α, β, γ) is true.
(6)
and xα , yβ , zγ take values in Z0 (ǫ) or Z+ (ǫ) (for example, 0 and 1). Consider the next equality: 1 {[x1 (1 + ǫ) + x0 ǫ][y1 (1 + ǫ) + y0 ǫ][z1 (1 + ǫ) + z0 ǫ] − x1 y1 z1 } ǫ = x1 y1 z1 (3 + 3ǫ + ǫ2 ) + (x0 y1 z1 + x1 y0 z1 + x1 y1 z0 )(1 + 2ǫ + ǫ2 ) + (x0 y0 z1 + x0 y1 z0 + x1 y0 z0 )(ǫ + ǫ2 ) + x0 y0 z0 ǫ2 . to (6) and thus we take this Note that coefficients in xα , yβ , zγ in this sum correspond = ( γ0 , γn ), xα ,1 (1 + coefficients as t(α, β, γ). Denote α = ( α0 , αn ), β = β0 , βn , γ 0
ǫ) + xα 0 ,0 ǫ = pα 0 , yβ0 ,1 (1 + ǫ) + yβ0 ,0 ǫ = qβ0 , zγ0 ,1 (1 + ǫ) + zγ0 ,0 ǫ = rγ0 . Then we have t(α1 , β1 , γ1 ) · · · t(αn−1 , βn−1 , γn−1 ) T′ = 0 β
α 0
× =
γ 0
1 1 1
αn =0 βn =0 γn =0
t(αn , βn , γn )xα 0 ,αn yβ0 ,βn zγ0 ,γn
1 t(α1 , β1 , γ1 ) · · · t(αn−1 , βn−1 , γn−1 ) · pα 0 qβ0 rγ0 ǫ α 0
−
0 β
γ 0
1 ǫ
α 0
0 β
γ 0
t(α1 , β1 , γ1 ) · · · t(αn−1 , βn−1 , γn−1 ) · xα 0 ,1 yβ0 ,1 zγ0 ,1 .
Let Z{ǫ} be the set of all Laurent polynomials in ǫ with a finite number of terms of negative degrees. Thus the problem of evaluating T ′ over Z{ǫ} for n is reduced to the same problem for n − 1. If N = 2n then for the minimum number L(N ) of arithmetic operations required for evaluating T ′ over Z{ǫ} we have: L(N ) ≤ 2L
N 2
+ O(N ).
This implies [1] that L(N ) = O(N log N ). When calculating pα 0 , qβ0 , rγ0 , the maximum degree of these polynomials and the maximum length of coefficients can increase at most by a constant. We have log2 N iteration cycles. Thus the degrees of all polynomials and the lengths of all coefficients in N ). We can add or multiply the algorithm are O(log such polynomials with O log2 N · O log2 N = O log4 N bit operations.
(One can improve this bound by using faster multiplication of polinomials and integers [1].)
32
V. Alekseev / On Algebraic Algorithms Deciding Properties of Discrete Functions
The method proposed in the present paper reduces problems of searching for fast algorithms to problems of searching for suitable logical semirings and appropriate algebraic transformations. This method can be used for designing fast algorithms on discrete structures.
References [1] A.V. Aho, J.E. Hopcroft, J.D. Ullman, The design and analysis of computer algorithms, Addison-Wesley, 1976. [2] A.A. Voronenko, On the complexity of recognition of monotonicity, Mathematical problems of cybernetics, issue 8, Moscow, Nauka, 1999, 301–303 (in Russian). [3] R.V. Freivald, Criterion of completeness of partial functions of algebra of logic and of multiple-valued logic, DAN SSSR 167 (1966), 1249–1250 (in Russian). [4] V.B. Alekseev and A.A. Voronenko, On some closed classes in partial two-valued logic, Discrete mathematics (Russian), 6(4) (1994), 58–79 (in Russian). English translation: Discrete mathematics and application, 4(5) (1994), 401–419.
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-33
33
Non-Archimedean Theory of T -Functions Vladimir ANASHIN 1 , Lomonosov University, Moscow, Russia Abstract. Loosely speaking, a T -function is a mapping from k-bit words into r-bit words such that each i-th bit of image depends only on low-order bits 0, . . . , i of the pre-image. For example, all arithmetic operations (addition, multiplication) are T -functions, all bitwise logical operations (XOR, AND, etc.) are T -functions. Any composition of T -functions is a T -function as well. Thus T -functions are natural computer word-oriented functions. It turns out that T -functions are continuous (and often differentiable!) functions with respect to the so-called 2-adic distance. This enables one apply 2-adic analysis to construct wide classes of T -functions with provable cryptographic properties (long period, balance, uniform distribution, high linear complexity, etc.). We consider stream ciphers constructed out of T -functions as specific automata that could be associated to dynamical systems on the space of 2-adic integers and apply the theory of non-Archimedean dynamical systems to study important cryptographic properties of these ciphers. Keywords. Pseudorandom generator, T -function, stream cipher, ergodic function, balanced function, Latin square, p-adic analysis
Introduction An n-variate triangular function (a T -function for short) is a mapping α0↓ , α1↓ , α2↓ , . . . → Φ↓0 α0↓ , Φ↓1 α0↓ , α1↓ , Φ↓2 α0↓ , α1↓ , α2↓ , . . . ,
where αi↓ ∈ Bn is a Boolean columnar n-dimensional vector; B = {0, 1}, and Φ↓i : (Bn )i+1 → Bm
maps (i + 1) Boolean columnar vectors α0↓ , . . . , αi↓ to m-dimensional n-dimensional columnar Boolean vector Φ↓i α0↓ , . . . , αi↓ . Accordingly, a univariate T -function f is a mapping f
(χ0 , χ1 , χ2 , . . .) → (ψ0 (χ0 ); ψ1 (χ0 , χ1 ); ψ2 (χ0 , χ1 , χ2 ); . . .), where χj ∈ {0, 1}, and each ψj (χ0 , . . . , χj ) is a Boolean function in Boolean variables χ0 , . . . , χj . T -functions may be viewed as mappings from non-negative integers 1 Information Security Institute, Lomonosov University, 119192 Michurinsky prosp., 1, Moscow, Russia; E-mail: [email protected], [email protected].
34
V. Anashin / Non-Archimedean Theory of T-Functions
to non-negative integers: e.g., a univariate T -function f sends a number with the base-2 expansion χ0 + χ1 · 2 + χ2 · 22 + · · · to the number with the base-2 expansion ψ0 (χ0 ) + ψ1 (χ0 , χ1 ) · 2 + ψ2 (χ0 , χ1 , χ2 ) · 22 + · · · Further in the paper we refer to these Boolean functions ψ0 , ψ1 , ψ2 , . . . as coordinate functions of a T -function f . If we restrict T -functions to the set of all numbers whose base-2 expansions are not longer than k, we sometimes refer these restrictions as T functions on k-bit words. Important examples of T -functions are basic machine instructions: • integer arithmetic operations (addition, multiplication,. . . ); • bitwise logical operations (OR, XOR, AND, NOT); • some their compositions (masking, shifts towards high order bits, reduction modulo 2k ). Since obviously a composition of T -functions is a T -function (for instance, any polynomial with integer coefficients is a T -function), the T -functions are natural transformations of binary words that can be performed by digital computers and that is why they recently have attracted attention of researches in computer science and cryptology. Although in cryptology the term “T -function” was suggested only in 2002, by Klimov and Shamir, see [1], in mathematics the mappings we refer as T -functions are known more than 50 years, however, under other names. For instance, in automata theory Yablonsky et. al. studied the so-called determined functions since 1950-th, see [2]. Actually, a determined function is a function that could be represented by an automaton. Consider an automaton with a binary input and binary output; then each infinite input string of 0s and 1s the automaton transforms into an infinite output string of 0s and 1s (we suppose that the initial state is fixed). Note that every outputted i-th bit depends only on the inputted i-th bit and on the current state of the automaton. Yet the current state depends only on the previous state and on the (i − 1)-th input bit. Hence, for every i = 1, 2, . . ., the i-th outputted bit depends only on bits 1, 2, . . . , i of the input string, and so the transformation of all infinite binary strings performed by the automaton is a T -function. We note here that Yablonsky and his succeedors were mostly interested in such properties of determined functions as completeness of various systems of functions, methods of constructing automata representing given function, etc. It worth notice also that determined functions were studied in a more general setting, for arbitrary K-letter inputs/outputs. T -functions were also studied in algebra, and also in much more general setting: T -functions are a special case of the so-called compatible mappings; namely, any T function on k-bit words is a compatible mapping of a residue ring modulo 2k . Recall that a transformation f : A → A on an algebraic system A (that is, of a set endowed with operations ω ∈ Ω) is called compatible whenever f agrees with all congruences of A; that is, f (a) ∼ f (b) whenever a ∼ b, where ∼ is a congruence of A.
V. Anashin / Non-Archimedean Theory of T-Functions
35
Recall that a congruence ∼ is an equivalence relation that agrees with all operations ω of A: ω(a1 , . . . , ar ) ∼ ω(b1 , . . . , br ) whenever ai ∼ bi , i = 1, 2, . . . , r, r is the arity of ω. It is obvious that a compatible transformation on the residue ring Z/2k Z modulo 2k is a T -function on k-bit words (under a natural one-to-one correspondence between Bk and Z/2k Z, when an k-bit word from Bk is considered as a base-2 expansion of an integer): In the case A = Z/2k Z is a residue ring modulo 2k the compatibility of f yields a≡b
(mod 2s ) =⇒ f (a) ≡ f (b) (mod 2s ),
for all s ≤ k, which is merely an equivalent definition of a (univariate) T -function on k-bit words. For further results on compatible functions on rings and other algebras see a 30-year old monograph [3] and references therein. We note here that among other important results, within this theory were obtained criteria for invertibility of polynomial mappings over rings; actually Theorem 3 mentioned below is a far-going generalization of this result. Since the early 1990-th the non-Archimedean theory of T -functions emerged, which treated T -functions as continuous transformations on the space Z2 of 2-adic integers and studied corresponding dynamics. The first publications in this area were [4] and [5]; the importance of T -functions for pseudorandom generation and cryptology was explicitly stated in these papers as well. Within this theory it was demonstrated that T -functions are continuous transformations with respect to the 2-adic metrics, and that invertibility (resp., single cycle property) of T -functions correspond to measure preservation (resp., ergodicity) of these continuous transformations. This approach supplies a researcher with a number of effective tools from the non-Archimedean (actually, 2-adic) analysis to determine whether a given T -function is invertible or has a single cycle property, to study distribution and structure of output sequences, to construct wide classes of T -functions with prescribed properties, etc. We discuss this approach further in the present paper. We note that this theory was developed in a more general setting, for arbitrary prime p, and not necessarily for p = 2, which corresponds to the case of T -functions. However, in the paper we consider the case p = 2 only, although most of results mentioned below remain true (after proper modification) in a general case as well. Last, but not least: T -functions under the name of triangular Boolean mappings were studied in the theory of Boolean functions. Within this theory there were obtained important criteria for invertibility and a single cycle property of a T -function, in terms of coordinate Boolean functions ψ0 , ψ1 , ψ2 , . . .. The criteria are a mathematical folklore circulating at least since 1970th among mathematicians dealing with the theory of Boolean functions; we reproduce these criteria below in Section 2. The paper is organized as follows: • in Section 1 we consider a PRNG as an automaton and argue that T -functions with a single cycle property could serve as state update functions, whereas balanced T -functions could serve as filters; • in Section 2 we recall mathematical folklore criteria for invertibility/single cycle property of a univariate T -function, in terms of algebraic normal forms of coordinate functions; • in Section 3 we recall basic notions concerning 2-adic numbers and demonstrate that any T -function is a continuous function of 2-adic variables;
36
V. Anashin / Non-Archimedean Theory of T-Functions
f
xi+1 = f (xi ) state update
xi
F
output
yi = F (xi )
Figure 1. Pseudorandom number generator.
• in Section 4 we recall basic notions of ergodic theory and demonstrate that balancedness (in particular, invertibility) and single cycle property of a T -function correspond to, accordingly, measure preservation and ergodicity; • in Section 5 we explain how to use 2-adic differentiation to determine whether a T -function is balanced, invertible, or has a single cycle property; • in Section 6 we consider interpolation series, with the same purpose; • in Section 7 we discuss how complex are recurrence sequences whose recurrence laws are T -functions, with respect to linear complexity and structural properties; • we conclude in Section 8.
1. Stream Ciphers and Pseudorandom Number Generators A pseudorandom generator, or a pseudorandom number generator (a PRNG for short) is an algorithm that takes a short random string (which is called a key, or a seed) and stretches it into a much longer sequence, a keystream, which looks like random; that is, passes certain statistical tests. The schematics of a typical PRNG is shown in Figure 1. The function f : A → A is called the state update function, whereas the function F : A → B is called the output function (or filter). In software development it is convenient (although not necessary) that A = Bn , B = Bm , and we restrict our considerations to this case. We usually associate Bk either with the residue ring Z/2k Z modulo 2n , or with a Cartesian power (Z/2r Z)s in case k = rs. Actually, within the scope of the paper we speak about stream cipher meaning the latter is a pseudorandom generator which is used for encryption: The produced keystream is XORed with a plaintext resulting in ciphertext. However, not every PRNG is suitable for stream encryption. Stream ciphers are cryptographically secure PRNGs; that is, they must not only produce statistically good sequences, but also they must withstand cryptanalyst’s attacks; however, this issue is outside the scope of the paper. The output sequence of the PRNG is necessarily periodic, and the length of the period must be as long as possible: too short period makes the output sequence of the PRNG statistically bad and vulnerable to attacks. To make the period of the PRNG the longest
V. Anashin / Non-Archimedean Theory of T-Functions
37
possible (i.e., of length 2n ), one must take the state update function f : Z/2n Z → Z/2n Z with a single cycle property; that is, f must permute elements of Z/2n Z cyclically. In this case we also say that f is transitive modulo 2n . The state update sequence x0 , x1 = f (x0 ), . . . , xi+1 = f (xi ) = f i+1 (x0 ), . . . of n-bit words will have then the longest possible period (of length 2n ), and strict uniform distribution; that is, each n-bit word will occur within the period exactly once. In order not to spoil the uniform distribution, one may take a balanced output function F : Z/2n Z → Z/2m Z as a filter. That is, to each m-bit word the mapping F maps the same number of n-bit words (hence; m ≤ n). For m = n balanced mappings are just invertible (that is, bijective, one-to-one) mappings. We say also that the function F on n bit words is bijective modulo 2n whenever the mapping F : Z/2n Z → Z/2n Z is invertible. Note that whenever both n and m are multiples of k, n = ks and m = kr, one can associate the set Bn (resp., Bm ) to respective cartesian powers (Z/2k Z)s and (Z/2k Z)r of the residue ring Z/2k Z and thus to speak of balance modulo 2k of the function F . If a PRNG is to be implemented in software, one must know how to construct single cycle (respectively, balanced) mappings out of basic machine instructions which include integer arithmetic operations (addition, multiplication,. . . ) and bitwise logical operations (OR, XOR, AND, NOT,. . . ). Further in the paper we discuss the relevant techniques.
2. Algebraic Normal Forms It is well known how to determine whether a univariate T -function f
(χ0 , χ1 , χ2 , . . .) → (ψ0 (χ0 ); ψ1 (χ0 , χ1 ); ψ2 (χ0 , χ1 , χ2 ); . . .) is invertible (or, accordingly, has a single cycle property) whenever its coordinate functions ψj (χ0 , . . . , χj ) are represented via algebraic normal forms. Recall that the algebraic normal form (the ANF for short) of a Boolean function ψj (χ0 , . . . , χj ) is the representation of this function via ⊕ (addition modulo 2, that is, “exclusive or”) and · (multiplication modulo 2, that is, “and”, or conjunction). In other words, the ANF of the Boolean function ψ is its representation in the form ψ(χ0 , . . . , χj ) = beta ⊕ β0 χ0 ⊕ β1 χ1 ⊕ . . . ⊕ β0,1 χ0 χ1 ⊕ . . . , where β, β0 , . . . ∈ {0, 1}. Recall also that the weight of the Boolean function ψj in (j + 1) variables is the number of (j + 1)-bit words that satisfy ψj ; that is, the weight is the cardinality of the truth set of the Boolean function ψj . The following theorem is a mathematical folklore known since 1970th: Theorem 1. A univariate T -function f is invertible if and only if for each j = 0, 1, . . . the Boolean function ψj in Boolean variables χ0 , . . . , χj is linear with respect to the variable χj ; that is, f is invertible if and only if the ANF of each ψj is of the form
38
V. Anashin / Non-Archimedean Theory of T-Functions
ψj (χ0 , . . . , χj ) = χj ⊕ φj (χ0 , . . . , χj−1 ), where φj is a Boolean function that does not depend on the variable χj . The univariate T -function f has a single cycle property if and only if, additionally, all Boolean functions φj are of odd weight. The latter takes place if and only if φ0 = 1, and the full degree of the Boolean function φj for j ≥ 1 is exactly j, that is, the ANF of φj contains a monomial χ0 · · · χj−1 . Thus, f has a single cycle property if and only if ψ0 (χ0 ) = χ0 ⊕ 1, and for j ≥ 1 the ANF of each ψj is of the form ψj (χ0 , . . . , χj ) = χj ⊕ χ0 · · · χj−1 ⊕ θj (χ0 , . . . , χj−1 ), where the weight of θj is even; i.e., deg θj ≤ j − 1. Note 1. Actually the bit-slice technique of Klimov and Shamir, which they introduced in [1], is just a re-statement of Theorem 1. Unfortunately, areas of applications of Theorem 1 are rather restricted: To determine with the use of this theorem whether a given composition of arithmetic and bitwise logical operators is invertible (or whether it has a single cycle property) is possible only for rather simple compositions like the mapping x → x + x2 OR C considered in [1]. The latter mapping is transitive modulo 2n if and only if C ≡ 5 (mod 8) or C ≡ 7 (mod 8); see [6, Example 3.14] or [7, Example 4.9] for the proof based on Theorem 1. Earlier in 1999 Kotomina [8] applied Theorem 1 to prove the following statement resulting in the so called add-xor generators, which are extremely fast: The T -function f (x) = (. . . ((((x + c0 ) XOR d0 ) + c1 ) XOR d1 ) + · · · is transitive modulo 2n (n ≥ 2) if and only if it is transitive modulo 4. The following proposition, whose proof is also based on Theorem 1, gives a method to construct new invertible T -functions (respectively, T -functions with a single cycle property), out of given T -functions: Proposition 1 ([6,7]). Let F be an (n+1)-variate T -function such that for all z1 , . . . , zn the T -function F (x, z1 , . . . , zn ) is invertible with respect to the variable x. Then the composition F (f (x), 2g1 (x), . . . , 2gn (x)) is invertible for arbitrary T -functions g1 , . . . , gn and any invertible T -function f . Moreover, if f has a single cycle property, then f (x + 4g(x)), f (x XOR (4g(x))), f (x) + 4g(x), and f (x) XOR (4g(x)) have a single cycle property, for arbitrary T function g. Although Theorem 1 can be applied to verify invertibility/single cycle property of some T -functions, it is highly doubtful that one can prove, with the use of Theorem 1 only, that, e.g., the following function is a T -function with a single cycle property (it is!):
2 (x+1)AND(1/5) 1−2x 1 (x + 2x) XOR (1/3) x 2+ + x +2 3 3 2x + 3 ⎞ ⎛
2 xAND(1/5) 5−2x (x − 1) XOR (1/3) ⎠. + 2 NOT ⎝ 2x + 1
V. Anashin / Non-Archimedean Theory of T-Functions
39
We need more delicate tools than Theorem 1 to study complicated compositions of basic machine instructions. These tools can be derived from the p-adic dynamical systems theory.
3. 2-Adic Integers and T -Functions As it follows directly from the definition, any T -function is well-defined on the set Z2 of all infinite binary sequences . . . δ2 (x)δ1 (x)δ0 (x) = x, where δj (x) ∈ {0, 1}, j = 0, 1, 2, . . .. Arithmetic operations (addition and multiplication) with these sequences could be defined via standard “school-textbook” algorithms of addition and multiplication of natural numbers represented by base-2 expansions. Each term of a sequence that corresponds to the sum (respectively, to the product) of two given sequences could be calculated by these algorithms within a finite number of steps. Thus, Z2 is a commutative ring with respect to the addition and multiplication defined in this manner. The ring Z2 is called the ring of 2-adic integers. The ring Z2 contains a subring Z of all rational integers: For instance, . . . 111 = −1, since +
. . .1111 . . .0001 . . .0000
Moreover, the ring Z2 contains all rational numbers that can be represented by irreducible fractions with odd denominators. For instance, the following calculations show that . . . 01010101 × . . . 00011 = . . . 111, i.e., that . . . 01010101 = −1/3 since . . . 00011 = 3 and . . . 111 = −1: . . .010101 . . .000011 . . .010101 + . . .10101 . . .111111
×
Sequences with only a finite number of 1s correspond to non-negative rational integers in their base-2 expansions, sequences with only a finite number of 0s correspond to negative rational integers, while eventually periodic sequences (that is, sequences that become periodic at a certain place) correspond to rational numbers represented by irreducible fractions with odd denominators: For instance, 3 = . . . 00011, −3 = . . . 11101, 1/3 = . . . 10101011, −1/3 = . . . 1010101. So the j-th term δj (u) of the corresponding sequence u ∈ Z2 is merely the j-th digit of the base-2 expansion of u whenever u is a non-negative rational integer, u ∈ N0 = {0, 1, 2, . . .}. What is important, the ring Z2 is a metric space with respect to the metrics (distance) d2 (u, v) defined by the following rule: d2 (u, v) = u − v2 = 1/2n , where n is the smallest non-negative rational integer such that δn (u) = δn (v), and d2 (u, v) = 0 if no such n exists (i.e., if u = v). For instance d2 (3, 1/3) = 1/8. The function d2 (u, 0) = u2 is a norm of a 2-adic integer u, and ord2 u = − log2 u2 2 is a 2-adic valuation of u. Note that for u ∈ N0 the valuation ord2 u is merely the exponent of the highest power of 2 that divides u (thus, loosely speaking, ord2 0 = ∞, thus 02 = 0).
40
V. Anashin / Non-Archimedean Theory of T-Functions
Once the metric is defined, one defines notions of convergent sequences, limits, continuous functions on the metric space, and derivatives if the space is a commutative ring. For instance, with respect to the so defined metric d2 on Z2 the following sequence tends to −1 = . . . 111, 1, 3, 7, 15, 31, . . . , 2n − 1, . . . −→ −1, d2
bitwise logical operators (such as XOR, AND, . . . ) define continuous functions in two variables, the function f (x) = x XOR a is differentiable everywhere on Z2 for every rational integer a: Its derivative is −1 for negative a, and 1 in the opposite case. Reduction modulo 2n of a 2-adic integer v, i.e., setting all terms of the corresponding sequence with indices greater than n − 1 to zero (that is, taking the first n digits in the representation of v) is just an approximation of a 2-adic integer v by a rational integer with precision 1/2n : This approximation is an n-digit positive rational integer v AND (2n − 1); the latter will be denoted also as v mod 2n . Actually a processor operates with approximations of 2-adic integers with respect to 2-adic metrics: When the overflow happens, i.e., when a number that must be written into an n-bit register consists of more than n significant bits, the processor just writes only n low order bits of the number into the register thus reducing the number modulo 2n . Thus, precision of the approximation is defined by the bitlength of machine words of the processor. What is most important within the scope of the paper is that all T -functions are continuous functions of 2-adic variables, since all T -functions satisfy Lipschitz condition with the constant 1 with respect to the 2-adic metrics, and vice versa. Indeed, it is obvious that the function f : Z2 → Z2 satisfies the condition f (u) − f (v)2 ≤ u − v2 for all u, v ∈ Z2 if and only if f is compatible, since the inequality a−b2 ≤ 1/2k is just equivalent to the congruence a ≡ b (mod 2k ). A similar property holds for multivariate T -functions. So we conclude: T -functions = compatible functions = 1-Lipschitz functions The observation we just have made implies that the non-Archimedean (namely, the 2-adic) analysis can be used in the study of T -functions. For instance, one can prove that the following functions satisfy Lipschitz condition with a constant 1 and thus are T -functions (so we can use them in compositions to construct PRNGs): • subtraction, −: (u, v) → u − v; • exponentiation, ↑: (u, v) → u↑v = (1+2u)v , and in particular raising to negative powers, u ↑ (−n) = (1 + 2u)−n ; • division, //: u // v = u · (v ↑ (−1)) = u/(1 + 2v). We summarize: • T -functions on n-bit words are just approximations of 2-adic compatible functions (i.e., 1-Lipschitz functions) with precision 2−n w.r.t. the 2-adic metric: That is, a T -function on n-bit words is just a reduction modulo 2n of a 2-adic 1Lipschitz function.
V. Anashin / Non-Archimedean Theory of T-Functions
41
• To study properties of T -functions one can use 2-adic analysis , since compatible functions are continuous w.r.t. the 2-adic metric. • In addition to the basic machine instructions, to construct T -functions one can use also subtraction, division by an odd integer, raising an odd integer to a certain power. All these considerations after proper modifications remain true for arbitrary prime p, and not only for p = 2, thus leading to the notion of a p-adic integer, and to p-adic analysis. For formal introduction to p-adic analysis, exact notions and results see any relevant book, e.g., [9,10]. Although most of results mentioned further also remain true for arbitrary prime p, in the paper we consider only the case p = 2 since we are dealing with T -functions. For the relevant theory for arbitrary prime p see [4,5,11,12,6,13,14,15]. The latter theory provides tools to construct non-linear pseudorandom generators modulo arbitrary N , which is not necessarily a power of a prime. However, these generators are out of the scope of the present paper.
4. The 2-Adic Ergodic Theory and T -Functions Now we describe connections between PRNGs and the 2-adic ergodic theory. Recall that a dynamical system on a measurable space S is a triple (S; μ; f ), where S is a set endowed with a measure μ, and f : S → S is a measurable function; that is, an f -preimage of any measurable subset is a measurable subset. These basic definitions from dynamical system theory, as well as the following ones, could be found in [16]; see also [17] as a comprehensive monograph on various aspects of dynamical systems theory. A trajectory of a dynamical system is a sequence x0 , x1 = f (x0 ), . . . , xi = f (xi−1 ) = f i (x0 ), . . . of points of the space S, x0 is called an initial point of the trajectory. If F : S → T is a measurable mapping to some other measurable space T with a measure ν (that is, if an F preimage of any ν-measurable subset of T is a μ-measurable subset of S), the sequence F (x0 ), F (x1 ), F (x2 ), . . . is called an observable. Note that the trajectory formally looks like the sequence of states of a pseudorandom generator, whereas the observable resembles the output sequence. A mapping F : S → Y of a measurable space S into a measurable space Y endowed with probabilistic measures μ and ν, respectively, is said to be measure preserving (or, sometimes, equiprobable) whenever μ(F −1 (S)) = ν(S) for each measurable subset S ⊂ Y. In the case S = Y and μ = ν, a measure preserving mapping F is said to be ergodic whenever for each measurable subset S such that F −1 (S) = S one has either μ(S) = 1 or μ(S) = 0. Recall that to define a measure μ on some set S we should assign non-negative real numbers to some subsets that are called elementary. All other measurable subsets are compositions of these elementary subsets with respect to countable unions, intersections, and complements. Elementary subsets in Z2 are balls B2−k (a) = a + 2k Z2 of radii 2−k (in other words, co-sets with respect to the ideal generated by 2k ). To each ball we assign a number μ2 (B2−k (a)) = 1/2k . This way we define a probabilistic measure on the space Zp ,
42
V. Anashin / Non-Archimedean Theory of T-Functions
μ2 (Z2 ) = 1. The measure μ2 is called a (normalized) Haar measure on Z2 . The normalized Haar measure on Zn2 can be defined in a similar manner. In other words, the ball a + 2k Z2 (of radius 2−k ) is a set of all 2-adic integers that are congruent to a modulo 2k ; and the measure of this ball is μ2 (a + 2k Z2 ) = 2−k . For example, · · · ∗ ∗ ∗ ∗ ∗ 0101 = 5 + 16 · Z2 = −1/3 + 16 · Z2 is a ball of radius (and of measure) 1/16 centered at the point 5 (or, which is the same, at the point −1/3); all 2-adic numbers that are congruent to 5 modulo 16 form this ball. Note that the sequence {si }∞ i=0 of 2-adic integers is uniformly distributed (with respect to the normalized Haar measure μ2 on Z2 ) if and only if it is uniformly distributed modulo 2k for all k = 1, 2, . . .; That is, for every a ∈ Z/2k Z relative numbers of occurrences of a within initial segment of length ℓ of the sequence {si mod 2k } of residues modulo 2k are asymptotically equal, i.e., limℓ→∞ A(a, ℓ)/ℓ = 1/2k , where A(a, ℓ) = |{si ≡ a (mod 2k ) : i < ℓ}|, see [16] for details. Thus, strictly uniformly distributed sequences are uniformly distributed in the usual meaning of the theory of distributions of sequences. Moreover, the following theorem (which was announced in [12] and proved in [18]) holds. Theorem 2. For m = n = 1, an 1-Lipschitz mapping F : Zn2 → Zm 2 preserves the normalized Haar measure μ2 on Z2 (resp., is ergodic with respect to μ2 ) if and only if it is bijective (resp., transitive) modulo 2k for all k = 1, 2, 3, . . .. For n ≥ m, the mapping F preserves measure μ2 if and only if it induces a balanced mapping of (Z/2k Z)n onto (Z/2k Z)m , for all k = 1, 2, 3, . . .. In other words, the theorem states that • for univariate T -functions, measure preservation is equivalent to the invertibility modulo 2k for all k ∈ N; • for multivariate T -functions, i.e., for F : Zn2 → Zm 2 , measure preservation is equivalent to the balancedness modulo 2k for all k ∈ N; • ergodicity is equivalent to the single cycle property modulo 2k for all k ∈ N
This theorem implies in particular that whenever one chooses an ergodic T -function f : Z2 → Z2 as a state transition function of a PRNG (see Figure 1), and a measurepreserving T -function F : (Z/2k Z)n → (Z/2k Z)m as an output function of the PRNG, both the sequence of states and output sequence of the PRNG are uniformly distributed with respect to the Haar measure. This implies that reduction of these sequences modulo 2n results in strictly uniformly distributed sequences of binary words. Note also that any number that is longer than a word bitlength of a computer, is reduced modulo 2n automatically. Thus, Theorem 2 points out a way to construct generators of uniformly distributed sequences out of standard computer instructions. To construct a PRNG, one must answer the following questions: What compositions of basic machine instructions are measure-preserving? are ergodic? Given a composition of basic machine instructions, is it measure-preserving? is it ergodic? 5. Uniformly Differentiable T -Functions In this section we answer the questions raised at the end of Section 4 for some special class of T -functions, which is, however, rather wide.
V. Anashin / Non-Archimedean Theory of T-Functions
43
First we recall some known results from the long history of pseudorandom generators (which is described in, e.g., a book of Donald Knuth [19]). From these results, one could notice that, loosely speaking, the behavior of a mapping modulo 2N , where N is large, is totally determined by the behavior of this mapping modulo 2n , where n is small. • Linear Congruential Generator (Hull and Dobell, 1962). The mapping x → a · x + b, where a, b ∈ Z, is a permutation with a single cycle property modulo 2N , N ≥ 2 if and only if it is a permutation with a single cycle property modulo 4. • Bijectivity Criterion for Polynomials with Integer Coefficients (known since 1960; proved and re-proved by a number of authors). The mapping x → f (x), where f is a polynomial with rational integer coefficients, is bijective modulo 2N , N ≥ 2 if and only if it is bijective modulo 4. • Quadratic Generator (Coveyou, 1969). The mapping x → f (x), where f is a quadratic polynomial with rational integer coefficients, is transitive modulo 2N , N ≥ 3 if and only if it is transitive modulo 8.
It worth notice here that in 1980-th M.V. Larin proved that the word “quadratic” in the latter statement could be omitted! The result circulated as a manuscript that time, a journal publication [20] appeared much later. The statements mentioned above demonstrate obvious similarities in the nature. Why? To answer this question, we need a notion of a derivative modulo 2k , which was originally introduced in [4,5,12]. By the definition, for points a = (a1 , . . . , an ) and b = (b1 , . . . , bn ) of Zn2 the congruence a ≡ b (mod 2s ) means that ai − bi 2 ≤ 2−s (or, which is the same, that ai = bi + ci 2s for suitable ci ∈ Z2 , i = 1, 2, . . . , s); that is a − b2 ≤ 2−s . Definition 1. A function F = (f1 , . . . , fm ) : Zn2 → Zm 2 is said to be differentiable modulo 2k at the point u = (u1 , . . . , un ) ∈ Zn2 if there exists a positive integer rational N and an n × m matrix Fk′ (u) over Z2 (called the Jacobi matrix modulo 2k of the function F at the point u) such that for every positive rational integer K ≥ N and every h = (h1 , . . . , hn ) ∈ Zn2 the congruence F (u + h) ≡ F (u) + hFk′ (u) (mod 2k+K )
(1)
holds whenever h2 ≤ p−K . In case m = 1 the Jacobi matrix modulo 2k is called a differential modulo 2k . In the case m = n a determinant of the Jacobi matrix modulo 2k is called a Jacobian modulo 2k . Entries of the Jacobi matrix modulo 2k are called partial derivatives modulo 2k of the function F at the point u. Note 2. To be more exact, the definition speaks of differentiable modulo 2k functions with integer valued derivatives; actually the notion of a differentiable modulo 2k function is a somewhat wider one. However, it turns out that if a T -function is differentiable modulo 2k in a wider sense, it is necessarily differentiable modulo 2k in the sense of Definition 1, so throughout the paper we use the notion of differentiability modulo 2k in that (narrower) meaning.
44
V. Anashin / Non-Archimedean Theory of T-Functions
A partial derivative (respectively, a differential) modulo 2k is denoted via ∂k∂fkix(u) j n d x ). (respectively, as dk F (u) = i=1 ∂k∂Fk x(u) k i i Since the notion of a function that is differentiable modulo 2k is very important for the theory that follows, we discuss this notion in detail. Compared to differentiability, the differentiability modulo 2k is a weaker restriction. Speaking loosely, in a univariate case (m = n = 1), Definition 1 just yields that F (u + h) − F (u) ≈ Fk′ (u) h Note that whenever ≈ (“approximately”) stands for an “arbitrarily high precision” one obtains a common definition of differentiability; however, if ≈ stands for a “precision that is not worse than 2−k ”, one obtains the differentiability modulo 2k . We note that the notion of a derivative modulo 2k has no direct analog in classical Calculus: A derivative with a precision up to the k-th digit after the point, being often used in common speech, is meaningless from the rigorous point of view since there is no distinguished base in real analysis. However, this notion is meaningful in 2-adic analysis since there is a distinguished base; namely, base-2. It is obvious that whenever a function is differentiable, it is differentiable modulo 2k for all k = 1, 2, . . ., and in this case the derivative modulo 2k is just a reduction of a derivative modulo 2k (note that according to Definition 1 partial derivatives modulo 2k are determined up to a summand that is 0 modulo 2k ). Thus, we can associate to each partial derivative modulo 2k a unique element of the ring Z/2k Z; a Jacobi matrix modulo 2k at each point u ∈ Zn2 thus can be considered as a matrix over the ring Z/2k Z. For the functions that are differentiable modulo 2k for some k, the “rules of differentiation modulo 2k ” have the same (up to congruence modulo 2k instead of equality) form as for usual differentiation. For instance, if both functions G : Zs2 → Zn2 and k F : Zn2 → Zm 2 are differentiable modulo 2 at the points, respectively, v = (v1 , . . . , vs ) and u = G(v), then a composition F ◦ G : Zs2 → Zm 2 of these functions is uniformly differentiable modulo 2k at the point v, all its partial derivatives modulo 2k at this point are 2-adic integers, and (F ◦ G)′k (v) ≡ G′k (v)Fk′ (u) (mod 2k ). k Definition 2. A function F : Zn2 → Zm 2 is said to be uniformly differentiable modulo 2 n on Z2 if and only if there exists K ∈ N such that congruence (1) holds simultaneously for all u ∈ Zn2 as soon as hi 2 ≤ 2−K , (i = 1, 2, . . . , n). The least of these K is denoted Nk (F ).
Recall that all partial derivatives modulo 2k of a uniformly differentiable modulo 2k function F are periodic functions with period 2Nk (F ) , see [4, Proposition 2.12]. Thus, each partial derivative modulo 2k could be considered as a function defined on (and valuated in) the residue ring Z/2Nk (F ) Z. Moreover, if a continuation F of the function n k F = (f1 , . . . , fm ) : Nn0 → Nm 0 to the space Z2 is a uniformly differentiable modulo 2 n function on Z2 , then one can simultaneously continue the function F and all its (partial) derivatives modulo 2k to the whole space Zn2 . Consequently, we may study if necessary (partial) derivatives modulo 2k of the function F instead of those of F and vice versa. For example, a partial derivative ∂k∂fkix(u) modulo 2k vanishes modulo 2k at no point of j " " " ∂k fi (u) " (n) −k k Zn2 (that is, ∂k∂fkix(u) ≡
0 (mod 2 ) for all u ∈ Z , or, the same " 2 ∂k xj " > 2 j 2
45
V. Anashin / Non-Archimedean Theory of T-Functions
everywhere on Zn2 ) if and only if ∂k∂fkix(u)
≡ 0 (mod 2k ) for all u ∈ {0, 1, . . . , 2Nk (F ) − j 1}. Note that differentiation modulo 2k could naturally be implemented as a computer program since this differentiation just implies (for a univariate F ) estimation of the fraction (F (u + h) − F (h))/h with a k-bit precision, i.e., evaluation of the first n low order bits of the base-2 expansion of the corresponding number. To calculate a derivative of, for instance, a state transition function, which is a composition of basic machine instructions, one needs to know derivatives of these “elementary” functions, such as arithmetic and bitwise logical operations. Now we briefly introduce a 2-adic analog of a “table of derivatives” of a classical Calculus. Example 1. Derivatives of bitwise logical operations. 1. A function f (x) = x AND c is uniformly differentiable on Z2 for any c ∈ Z; f ′ (x) = 0 for c ≥ 0, and f ′ (x) = 1 for c < 0, since f (x + 2n s) = f (x), and f (x + 2n s) = f (x) + 2n s for n ≥ l(|c|), where l(|c|) is the bit length of absolute value of c (mind that for c ≥ 0 the 2-adic representation of −c starts with 2l(c) −c in less significant bits followed by . . . 11: −1 = . . . 111, −3 = . . . 11101, etc.). 2. A function f (x) = x XOR c is uniformly differentiable on Z2 for any c ∈ Z; f ′ (x) = 1 for c ≥ 0, and f ′ (x) = −1 for c < 0. This immediately follows from Item 1 since u XOR v = u + v − 2(x AND v) (the latter identity can be easily verified). Thus (x XOR c)′ = x′ + c′ − 2(x AND c)′ = 1 + 2 · (0 for c ≥ 0; −1 for c < 0). 3. In the same manner it could be shown that functions x mod 2n , NOT(x) and x OR c for c ∈ Z are uniformly differentiable on Z2 , and (x mod 2n )′ = 0, (NOT x)′ = −1, (x OR c)′ = 1 for c ≥ 0, (x OR c)′ = 0 for c < 0. 4. A function f (x, y) = xXORy is not uniformly differentiable on Z22 (as a bivariate function), yet it is uniformly differentiable modulo 2 on Z22 ; from Item 2 it follows that its partial derivatives modulo 2 are 1 everywhere on Z22 . Here is how it works altogether. Example 2. A function f (x) = x + (x2 OR 5) is uniformly differentiable on Z2 , and f ′ (x) = 1 + 2x · (x OR 5)′ = 1 + 2x. Example 3. A function F (x, y) = (f (x, y), g(x, y)) = (x XOR 2(x AND y), (y + 3x3 ) XOR x) is uniformly differentiable modulo 2 as a bivariate function, and N1 (F ) = 1; namely F (x + 2n t, y + 2m s) ≡ F (x, y) + (2n t, 2m s) ·
1x+1 0 1
(mod 2k+1 )
= F1′ (x, y) is a Jacobi for all m, n ≥ 1 (here k = min{m, n}). The matrix 01 x+1 1 matrix modulo 2 of F ; here is how we calculate partial derivatives modulo 2: for instance,
46
V. Anashin / Non-Archimedean Theory of T-Functions
∂1 (y + 3x3 ) ∂1 (u XOR x) ∂1 x ∂1 (u XOR x) ∂1 g(x, y) = · · + ∂1 x ∂1 x ∂1 u ∂1 x ∂1 x u=y+3x3 u=y+3x3 = 9x2 · 1 + 1 · 1 ≡ x + 1
(mod 2).
Note that a partial derivative modulo 2 of the function 2(x AND y is always 0 modulo 2 because of the multiplier 2: the function x AND y is not differentiable modulo 2 as bivariate function, yet 2(x AND y) is. So the Jacobian of the function F is det F1′ ≡ 1 (mod 2). n Now let F = (f1 , . . . , fm ) : Zn2 → Zm 2 and f : Z2 → Z2 be T -functions that are n uniformly differentiable on Z2 modulo 2. This is a relatively weak restriction since all uniformly differentiable on Zn2 functions, as well as functions that are uniformly differentiable on Zn2 modulo 2k for some k ≥ 1, are uniformly differentiable on Zn2 modulo 2; ∂F k−1 F k−1 note that ∂x ≡ ∂∂kkxFi ≡ ∂∂k−1 ). xi (mod 2 i
Theorem 3 ([4,5,12]). A T -function F : Zn2 → Zm 2 is measure preserving whenever it is balanced modulo 2k for some k ≥ N1 (F ) and the rank of its Jacobi matrix F1′ (u) modulo 2 is exactly m at all points u = (u1 , . . . , un ) ∈ (Z/2k Z)n . In case m = n these conditions are also necessary, i.e., the function F preserves measure if and only if it is bijective modulo 2k for some k ≥ N1 (F ) and det(F1′ (u)) ≡ 1 (mod 2) for all u = (u1 , . . . , un ) ∈ (Z/2k Z)n . Moreover, in the considered case these conditions imply that F preserves measure if and only if it is bijective modulo 2N1 (F )+1 . That is, if the mapping u → F (u) mod 2N1 (F ) is balanced, and if the rank of the Jacobi matrix F1′ (u) modulo 2 is exactly m at all points u ∈ (Z/2N1 (F ) Z)n then each mapping u → F (u) mod 2r of (Z/2r Z)n onto (Z/2r Z)m (r = 1, 2, 3, . . .) is balanced, i.e., each point u ∈ (Z/2r Z)m has the same number of preimages in (Z/2r Z)m . It worth notice here that for n > m the sufficient conditions of Theorem 3 are not necessary: a two-variate polynomial F (x, y) = 2x + y 3 serves as a counterexample, see [12]. It is an open problem to characterize multivariate measure preserving T functions F : Zn → Zn for n > m; this is not known even for multivariate polynomials with integer coefficients. Moreover, even the case n = 2 and m = 1 for these polynomials is not studied. Theorem 3 can be applied to construct wide classes of Latin squares of order 2k ×2k . Recall that a Latin square is an N × N matrix such that each its row and each column is a permutation of N symbols, say, of numbers 0, 1, . . . , N − 1. Latin squares are popular objects of combinatorics and algebra (in algebra they are known under the name of binary quasigroups); they are also used in coding theory and in some cryptographic schemes (under the name of multipermutations). It is obvious that an N × N Latin square F = (ℓij ), i, j, ℓij ∈ N = {0, 1, . . . , N − 1}, defines a bivariate mapping f : N × N → N (by the rule f (i, j) = ℓij ), which is bijective with respect to each variable, and vice versa. We say that a bivariate T -function f defines a Latin square modulo 2k whenever a reduced mapping f mod 2k : Z/2k Z × Z/2k Z → Z/2k Z defines a Latin square on N = Z/2k Z. Now Theorem 3 immediately implies the following Corollary 1. A uniformly differentiable T -function f (x, y) defines a Latin square modulo 2k for some (equivalently, for any) k > N1 (f ) if and only if it defines a Latin square
V. Anashin / Non-Archimedean Theory of T-Functions
47
modulo 2N1 (F ) and ∂1 f∂(x,y) ≡ ∂1 f∂(x,y) ≡ 1 (mod 2). Moreover, these conditions holds 1x 1y if and only if f defines a Latin square modulo 2N1 (F )+1 . Indeed, in view of Theorem 3, the function f is bijective modulo 2k with respect to either variable if and only if f is bijective modulo 2N1 (f ) with respect to either variable, and ∂1 f∂(x,y) ≡ ∂1 f∂(x,y) ≡ 1 (mod 2); and these conditions are equivalent to the 1x 1y N1 (f )+1 of the function f with respect to either variable. bijectivity modulo 2 For instance, the T -function f (x, y) = x + y + (x2 XOR y 2 ) defines a Latin square modulo 2k for all k = 1, 2, . . .. Actually with the use of more sophisticated techniques based on the full version of Theorem 3 (for arbitrary prime p, and not only for p = 2), it is possible to construct mutually orthogonal Latin squares, which can be used as block mixers for block ciphers, as cipher combiners, etc. However, this theme is outside the scope of the paper. Yet more examples of how Theorem 3 works: Example 4. We consider some T -functions that were studied in [1] to demonstrate techniques of Theorem 3. 1. A mapping (x, y) → F (x, y) = (x XOR 2(x AND y), (y + 3x3 ) XOR x) mod 2r of (Z/2r Z)2 onto (Z/2r Z)2 is bijective for all r = 1, 2, . . .. Indeed, the T -function F is bijective modulo 2N1 (F ) = 2 (direct verification) and det(F1′ (u)) ≡ 1 (mod 2) for all u ∈ (Z/2Z)2 (see the table of derivatives in Example 1 and Examples 2, 3 thereafter). 2. The following mappings of Z/2r Z onto Z/2r Z are bijective for all r = 1, 2, . . .: x → (x + 2x2 ) mod 2r , x → (x + (x2 OR 1)) mod 2r , x → (x XOR (x2 OR 1)) mod 2r . Indeed, all three T -functions are uniformly differentiable modulo 2, and N1 = 1 for all of them. So it suffices to prove that all three mappings are bijective modulo 2, i.e., as mappings of the residue ring Z/2Z modulo 2 onto itself (this could be checked by direct calculations), and that their derivatives modulo 2 vanish at no point of Z/2. The latter also holds, since the derivatives are, respectively, 1 + 4x ≡ 1
(mod 2),
1 + 2x · 1 ≡ 1
(mod 2),
1 + 2x · 1 ≡ 1
(mod 2),
since (x2 OR 1)′ = 2x · 1 ≡ 1 (mod 2), and (x XOR C)′1 ≡ 1 (mod 2), see Example 1.
48
V. Anashin / Non-Archimedean Theory of T-Functions
3. The following closely related variants of the previous mappings of Z/2r onto Z/2r are not bijective for all r = 1, 2, . . .: x → (x + x2 ) mod 2r , x → (x + (x2 AND 1)) mod 2r , x → (x + (x3 OR 1)) mod 2r , since they are T -functions that are not bijective modulo 2. 4. (See [21], also [1, Theorem 1].) Let P (x) = a0 +a1 x+· · ·+ad xd be a polynomial with integral coefficients. Then P (x) is a permutation polynomial modulo 2n (that is, is bijective modulo 2n ), n > 1, if and only if a1 is odd, (a2 + a4 + · · · ) is even, and (a3 + a5 + · · · ) is even. In view of Theorem 3 we need to verify whether the two conditions hold: first, whether P is bijective modulo 2, and second, whether P ′ (z) ≡ 1 (mod 2) for z ∈ {0, 1}. The first condition gives that P (0) = a0 and P (1) = a0 + a1 + a2 + · · · ad must be distinct modulo 2; hence a1 + a2 + · · · ad ≡ 1 (mod 2). The second condition implies that P ′ (0) = a1 ≡ 1 (mod 2), P ′ (1) ≡ a1 +a3 +a5 + · · · ≡ 1 (mod 2). Now combining all this together we get a2 + a3 + · · · ad ≡ 0 (mod 2) and a3 + a5 + · · · ≡ 0 (mod 2), hence a2 + a4 + · · · ≡ 0 (mod 2). 5. As a bonus, we can use exactly the same proof to get exactly the same characterization of bijective modulo 2r (r = 1, 2, . . .) mappings of the form x → P (x) = a0 XORa1 xXOR· · ·XORad xd mod 2r since uXORv is uniformly differentiable modulo 2 as a bivariate function, and its derivative modulo 2 is exactly the same as the derivative of u + v, and besides, u XOR v ≡ u + v (mod 2). Note that formally Theorem 3 can be applied only to the class of all T -functions that are uniformly differentiable modulo 2, which is narrower than the class of all T functions. However, it turns out that if a univariate T -function is not uniformly differentiable modulo 2 then it cannot be measure preserving. Namely, the following proposition holds, which in fact is just a restatement of a corresponding assertion of Theorem 1. Proposition 2 ([4,5]). If a T -function g : Z2 → Z2 preserves measure then it is uniformly differentiable modulo 2 and its derivative modulo 2 is always 1 modulo 2. Now the techniques introduced above could also be applied to characterize ergodic functions and thus to answer a question raised at the beginning of this section: Theorem 4 ([4,5,12]). Let a T -function f : Z2 → Z2 be uniformly differentiable modulo 4. Then f is ergodic if and only if it is transitive modulo 2N2 (f )+2 . Example 5. In [1] there is stated that “. . . the invertibility nor the cycle structure of x + (x2 OR 5) could be determined by his (i.e., mine—V.A.) techniques”. See however how it could be immediately done with the use of Theorem 4: The function f (x) = x + (x2 OR 5) is uniformly differentiable on Z2 , thus, it is uniformly differentiable modulo 4 (see Examples 1 and 2), and N2 (f ) = 3. Now to prove that f is ergodic, in view of Theorem 4 it suffices to demonstrate that f induces a permutation with a single cycle on Z/32Z. Direct calculations show that a string 0, f (0) mod 32, f 2 (0) mod 32 =
V. Anashin / Non-Archimedean Theory of T-Functions
49
f (f (0)) mod 32, . . . , f 31 (0) mod 32 is a permutation of a string 0, 1, 2, . . . , 31, thus ending the proof. Concluding the section, we note that no analog of Theorem 4 exists for multivariate T -functions: Indeed, if an ergodic T -function F : Zn2 → Zn2 is uniformly differentiable modulo 2, then necessarily n = 1, see [12]. However, multivariate ergodic T -functions that are not uniformly differentiable modulo 2 do exist, see [13]. Actually the problem of complete description of ergodic T -functions is solved only in a univariate case (see the next section); it is still open for a multivariate case.
6. Interpolation Series In this section we represent univariate T -functions as interpolation series to examine whether the function is measure-preserving, or ergodic. Contrasting to the techniques of Section 5, the techniques of interpolation series can be applied to arbitrary T -function, and not to a differentiable one. Moreover, with the use of these techniques we obtain a general method to construct measure-preserving (respectively, ergodic) T -function out of a given arbitrary T -function. We start with another (equivalent) characterization of univariate T -functions in terms of interpolation series. It is not difficult to see that every mapping f : N0 → Z2 (or, respectively, f : N0 → Z) admits one and only one representation in the form of so-called Mahler interpolation series f (x) =
∞ i=0
ai
x , i
(2)
where xi = x(x − 1) · · · (x − i + 1)/i! for i = 1, 2, . . ., and x0 = 1; ai ∈ Z2 (respectively, ai ∈ Z), i = 0, 1, 2, . . .. This statement can be easily proved directly, substituting successively x = 0, 1, 2, . . . to (2) and solving the corresponding equation with unknown ax . However, if f is uniformly continuous on N0 with respect to the 2-adic distance, it can be uniquely expanded to a uniformly continuous function on Z2 since Z is dense in f converges Z2 . Hence the interpolation series for uniformly on Z2 . The following is true ∞ (see, e.g., [10]): The series f (x) = i=0 ai xi , (ai ∈ Zp , i = 0, 1, 2, . . .) converges uniformly on Z2 if and only if limpi→∞ ai = 0, where lim2 is a limit with respect to the 2-adic distance; hence uniformly convergent series defines a uniformly continuous function on Z2 . The following theorem holds: Theorem 5 ([4,5]). The function f : Z2 → Z2 represented by (2) is a T -function if and only if ai ≡ 0
(mod 2⌊log2 i⌋ )
for all i = 2, 3, 4, . . .. (Here and after for a real α we denote ⌊α⌋ an integral part of α, i.e., the nearest to α rational integer not exceeding α.)
50
V. Anashin / Non-Archimedean Theory of T-Functions
Note that the number ⌊log2 i⌋ for i = 1, 2, 3, . . . has a “physical meaning”: it is the number of digits in a base-2 representation of i, decreased by 1; that is, a bitlength of i, decreased by 1. So within the context of the paper it is reasonable to assume that ⌊log2 0⌋ = 0. Now we can give a general characterization of measure-preserving (resp., ergodic) T -functions: Theorem 6 ([4,5]). A function f : Z2 → Z2 is a measure preserving T -function if and only if it can be represented as f (x) = c0 + x +
∞
⌊log2 i⌋+1
ci 2
i=1
x (x ∈ Z2 ). i
The function f is an ergodic T -function if and only if it can be represented as f (x) = 1 + x +
∞
ci 2
⌊log2 (i+1)⌋+1
i=1
x (x ∈ Z2 ), i
where c0 , c1 , c2 . . . ∈ Z2 . x Using the identity Δ xi = i−1 , where Δ is a difference operator, Δu(x) = u(x + 1) − u(x), we immediately deduce from Theorems 5 and 6 the following easy method to construct a measure preserving or ergodic T -function out of an arbitrary T -function: Corollary 2 ([12]). Each ergodic (respectively, each measure preserving) T -function f : Z2 → Z2 can be represented as f (x) = 1 + x + 2 · Δg(x) (respectively as f (x) = d + x + 2 · g(x)) for suitable d ∈ Z2 and a T -function g : Z2 → Z2 ; and vice versa. Here are how these techniques work: Example 6. For any odd 2-adic integer a = 1 + 2m, the T -function f (x) = ax + ax is transitive modulo 2n , for all n = 1, 2, . . . Indeed, in view of Theorem 6 the function f is an ergodic T -function f (x) = since ∞ ∞ (1 + 2m)x + (1 + 2m)x = x + 2mx + i=0 mi 2i xi = 1 + x + 4m x1 + i=2 mi 2i xi and i ≥ ⌊log2 (i + 1)⌋ + 1 for all i = 2, 3, 4, . . .. This generator may be of practical value since it uses not more than n + 1 multiplications modulo 2n of n-bit numbers; of course, one should use calls to the look-up table j a2 mod 2n , j = 1, 2, 3, . . . , n−1. The latter table must be precomputed, corresponding calculations involve n − 1 multiplications modulo 2n . Yet more results that can be proved by these techniques, see [4,12,6,7]: • A polynomial with integer coefficients is ergodic if and only if it is transitive modulo 8 (this was originally proved by Larin, see [20], however, by other methods). These T -functions give rise to non-linear congruential generators.
V. Anashin / Non-Archimedean Theory of T-Functions
51
• The T -function F (x) = a0 + b1 · (x XOR a1 ) + b2 · (x XOR a2 ) + · · · is ergodic if and only if it is transitive modulo 4. • The T -function b + b0 · (x AND 1) + b1 · (x AND 2) + b2 · (x AND 22 ) + · · · is ergodic if and only if b ≡ 1 (mod 2), b0 ≡ 1 (mod 4), and bj ≡ 1 (mod 2) for all j = 1, 2, 3, . . .. The equivalent statement reads that the function F (x) = a + a0 · δ0 (x) + a1 · δ1 (x) + · · · is an ergodic T -function if and only if a2 = 1, a0 ≡ 1 (mod 4), and aj 2 = 2−j for j = 1, 2, . . .. Since (1/2j )(x AND 2j ) = δj (x), the j-th bit in the base-2 expansion of x, these T -functions give rise to a class of self-shrinking generators. • For arbitrary polynomials u(x), v(x) ∈ Z2 [x] the entire function F (x) =
v(x) 2 · u(x) + 1
is ergodic if and only if it is transitive modulo 8. These T -functions give rise to a family of inversive generators, the ones based on taking multiplicative inverses modulo 2k . • A polynomial f (x) ∈ Q[x] of degree d with rational (and not necessarily integer!) coefficients is integer-valued (that is, f (Z2 ) ⊂ Z2 )) compatible, and ergodic if and only if f takes integral values at the points 0, 1, . . . , 2⌊log2 (deg f )⌋+3 − 1, and the mapping z → f (z) mod 2⌊log2 (deg f )⌋+3 , is compatible and transitive on Z/2⌊log2 d⌋+3 (i.e., modulo the biggest power of 2 not exceeding 8d); i.e., to verify whether all three properties hold simultaneously, one has to make approximately 8d evaluations of f (x). Note that any T -function on n-bit words could be represented by a polynomial of this kind! By the way, the example of a “wild” T -function with a single cycle property mentioned at the very end of Section 2 was constructed with the use of results introduced in the present section.
7. Properties of State Update Sequences In this section we discuss some distribution and structural properties of the sequence Z = x0 , x1 , x2 , . . ., where x1 = f (x0 ), x2 = f (x1 ), . . . , xi+1 = f (xi ) = f i+1 (x0 ), . . . , generated by the ergodic T -function f , that is, by the T -function with a single cycle property on n-bit words for all n = 1, 2, 3, . . .. Actually in cryptology we are more interested in properties of the output sequence of a PRNG since namely this sequence is used for stream encryption. On the one hand, properties of the latter sequence strongly depend on a specific design (and discussion of various designs of stream ciphers based on T -functions is outside the scope of the paper).
52
V. Anashin / Non-Archimedean Theory of T-Functions
However, on the other hand, these properties are highly influenced by the properties of the state update sequence, which we are going to discuss in this section. In view of space/time constraints we discuss only linear complexity of the state update sequence and structural properties of coordinate sequence δj (Z): δj (x0 ), δj (x1 ) = δj (f (x0 )), . . . , δj (xi+1 ) = δj (f (xi )) = δj (f i+1 (x0 )), . . . 7.1. Linear Complexity The sequence Z is the sequence of 2-adic integers, i.e., Z is the sequence over Z2 , which is a commutative ring. However, in computer implementations of PRNG we use the sequence of residues Z mod 2n = x0 mod 2n , x1 mod 2n , . . . modulo 2n of the sequence Z, where n is a bitlength of a processor. The sequence Z mod 2n is a sequence over Z/2n Z, which is also a commutative ring. Definition 3. Let Z = {zi }∞ i=0 be a sequence over a commutative ring R. Let there exist c, c0 , c1 , . . . , cr−1 ∈ R (not all equal to 0) such that for all i = 0, 1, 2, . . . holds c+
r−1 j=0
cj · zi+j = 0.
(3)
The smallest r with this property is called linear complexity λR (Z) of the sequence Z over the ring R. Note that when R is a two-element field GF(2), the latter definition gives us a common definition of a linear complexity of a binary sequence, which the length of the shortest linear feedback shift register (LFSR) that produces the given sequence. The notion of linear complexity over a commutative ring has a “geometrical meaning”: For instance, if R = Z/2n Z; then geometrically equation (3) means that all the points z
i , 2n
zi+1 zi+r−1 , , . . . , 2n 2n
i = 0, 1, 2, . . . ,
of a unit r-dimensional Euclidean hypercube fall into parallel hyperplanes. For instance, with the use of linear complexity over the residue ring Z/2n Z we can study distribution of r-tuples of the sequence produced by an ergodic T -function on n-bit words. We already know that this sequence, being considered as the sequence of elements over Z/2n Z is strictly uniformly distributed: Every element from Z/2n Z occurs at the period exactly once. But what about distribution of consecutive pairs of elements? Triples? etc. It varies. . . For example, although every transitive linear congruential generator xi+1 = a+b·xi (mod 2n ) produces a strictly uniformly distributed sequence over Z/2n Z, linear complexity over Z/2n Z of this generator is only 2; hence, distribution of pairs in produced sequences is rather poor: All the points that correspond to pairs of consecutive numbers
53
V. Anashin / Non-Archimedean Theory of T-Functions
Figure 2. Linear congruential generator 3 + 5x.
Figure 4. Generator x+x2 ORC, with C = 101.
Figure 3. Polynomial generator of degree 8.
Figure 5. Same generator, C = 10010000101010111.
with
fall into a small number of parallel straight lines in a unit square, and this picture does not depend on n, see Figure 2. Another example: The already mentioned T -function x + x2 OR C introduced by Klimov and Shamir has a single cycle property whenever C ≡ 5 (mod 8), or C ≡ 7 (mod 8), see [1]. However, distribution of pairs of consecutive terms in the sequence produced by this T -function varies from satisfactory (when there are few 1’s in more significant bit positions, see Figure 4) to poor (when there are more 1’s in these positions, see Figure 5); we consider sequences modulo 217 in both cases. This is not easy to find a T -function that guarantees good distribution of pairs. For instance, this problem is not completely solved even for quadratic ergodic polynomials with integer coefficients (see, e.g., [22,23] and a survey [24]). However, with respect to the linear complexity over residue ring the sequence Z mod 2n over Z/2n Z, generated by a compatible integer-valued ergodic polynomial f (x) ∈ Q[x] (see the very end of Section 6) of degree ≥ 2, is “asymptotically good”; cf.
54
V. Anashin / Non-Archimedean Theory of T-Functions
Figure 3 for distribution of pairs for a corresponding polynomial generator of degree 8. Namely, the following theorem holds: Theorem 7 ([12]). Whenever f ∈ Q[x] is an integer-valued compatible ergodic polynomial, then the linear complexity over the residue ring Z/2n Z of the corresponding sequence Z mod 2n = {f i (x0 ) mod 2n }∞ i=0 grows unboundedly with n, limn→∞ λZ/2n Z (Z mod 2n ) = ∞. Moreover, the growth rate of λZ/2n Z (Z mod 2n ) is not slower than log n. Actually it is not known today whether log n is a sharp bound in this theorem; the sharp bound is, may be, much better, hopefully about n. Also, for practical purposes it would be highly desirable to find other T -functions f for which the conclusion of Theorem 7 holds, especially these ones that admit simple (and fast!) implementation in software or in hardware. 7.2. Coordinate Sequences An obvious drawback of the sequence produced by an ergodic T -function f is that the less significant is the bit, the shorter is the period of the sequence it outputs: Although the length of the period of the sequence Z mod 2n = {x0 mod 2n , x1 = f (x0 ) mod 2n , x2 = f (x1 ) mod 2n , . . .} of n-bit words is 2n , the length of the period of the j-th bit sequence (of the j-th coordinate sequence) δj (Z) = {δj (x0 ), δj (x1 ), δj (x2 ), . . . , δj (xi+1 ), . . .} is only 2j+1 , (j = 0, 1, . . . , n − 1). The following proposition can be easily proved: Proposition 3. The j-th coordinate sequence δj (Z) = s0 , s1 , . . . is a purely periodic binary sequence, and 2j+1 is the length of its shortest period. The second half of the period is a bitwise negation of the first half, i.e., si+2j ≡ si + 1 (mod 2) for each i = 0, 1, 2, . . .. The linear complexity λGF(2) (δj (Z)) of the j-th coordinate sequence δj (Z) over the field GF(2) is exactly 2j + 1. The proposition means, loosely speaking, that the j-th coordinate sequence is as complex as the first half of its period. So it is important to know what sequences of length 2j could be outputted as the first half of the period of the j-th coordinate sequence; more formally, what values are taken by the rational integer γ = s0 + s1 2 + s2 22 + · · · + j s2j −1 22 −1 , for the j-th coordinate sequence δj (Z) = s0 , s1 , s2 , . . .. In other words, let γj (f, z) ∈ N0 be such a number that its base-2 expansion agrees with the first half of the period of the j th coordinate sequence; i.e., let γj (f, z) = δj (f 0 (z)) + 2 · δj (f 1 (z)) + 4 · δj (f 2 (z)) + · · · + 22 j
j
−1
j · δj f 2 −1 (z) .
Obviously, 0 ≤ γj (f, z) ≤ 22 − 1. The following natural question should be answered: Given an ergodic T -function f : Z2 → Z2 and a 2-adic integer z ∈ Z2 , what infinite
55
V. Anashin / Non-Archimedean Theory of T-Functions
j string γ0 = γ0 (f, z), γ1 = γ1 (f, z), γ2 = γ2 (f, z), . . . (where γj ∈ 0, 1, . . . , 22 − 1 for j = 0, 1, 2, . . . ) can be obtained? And the answer is: any one. Namely, the following theorem holds (which, interestingly, was proved by a “purely 2-adic” argument). Theorem 8 ([6,7]). Let Γ = {γj ∈ N0 : j = 0, 1, 2, . . .} be an arbitrary sequence j of non-negative rational integers that satisfy 0 ≤ γj ≤ 22 − 1 for j = 0, 1, 2, . . .. There exists an ergodic T -function f : Z2 → Z2 and a 2-adic integer z ∈ Z2 such that δj (z) = δ0 (γj ), δ0 (f i (z)) ≡ γ0 + i (mod 2), and #
i δj (f (z)) ≡ δi mod 2j (γj ) + j 2 i
$
(mod 2)
for all i, j ∈ N. Note 3. The sequence {⌊i/2j ⌋ mod 2}∞ i=1 is merely a binary sequence of alternating gaps and runs (i.e., blocks of consecutive 0s or 1s, respectively) of length 2j each.
8. Conclusion In the paper, we considered an approach treating T -functions as continuous mappings of the space Z2 of 2-adic integers. Within this approach were obtained important criteria (and sufficient conditions) for invertibility (resp., single cycle property) of T -functions in terms of measure preservation (resp., ergodicity) of corresponding mappings. Also, within this approach were obtained important results on distribution of produced sequences, their structure, etc. Actually the paper treats a pseudorandom number generator based on T -functions as an (autonomous) dynamical system in the phase space Z2 and demonstrates how effectively methods of the non-Archimedean dynamics work being applied to these generators. For demonstration purposes, in the paper we mentioned only results that do not involve too specific p-adic techniques and that can be easily understood on the base of analogies with a real (thus, Archimedean) analysis. That’s why a number of important results were omitted. For instance, we have not mentioned that distribution of k-tuples in sequences produced by T -functions with a single cycle property satisfy Knuth’s criterion of randomness, that coordinate sequences are good not only with respect to linear complexity (cf. Proposition 3), but also with respect to the ℓ-error linear complexity and the 2-adic complexity, see [6,7,15]. Also, we have not considered effective remedies of [6,15] to cure the unpleasant “low order bit effect” mentioned in Subsection 7.2. Due to space/time constraints we had to omit an important theme of non-autonomous dynamical systems [6,13,15] that leads to methods of combination of PRNGs into a new one, thus resulting into a flexible stream ciphers which change their recurrence laws during encryption. The latter theory exploits techniques (that is called skew products in ergodic theory, or wreath products in algebra) and thus is a generalization of the theory presented above: Actually, any T -function can be viewed as a specific composition of wreath products. In connection with what was said, we can recommend [14] for further reading.
56
V. Anashin / Non-Archimedean Theory of T-Functions
Finally, we had to omit everything concerning very important class of computer instructions based on operations with flags (e.g., any IF-operator uses flags). Actually, the corresponding mathematical tools are more sophisticated: They are based on noncommutative group theory and involve non-commutative Calculus. The corresponding theory is under development now and will be covered by future publications; some issues of this theory are mentioned in [11].
References [1] A. Klimov and A. Shamir, A new class of invertible mappings, In B.S.Kaliski Jr. et al., editors, Cryptographic Hardware and Embedded Systems 2002, Lect. Notes in Comp. Sci. 2523 (2003), SpringerVerlag, 470–483. [2] S.V. Yablonsky, Basic notions of cybernetics, In Problems of Cybernetics, Fizmatgiz, 1959 (in Russian). [3] Hans Lausch and Wilfried Nöbauer, Algebra of Polynomials, North-Holl. Publ. Co., American Elsevier Publ. Co., 1973. [4] V. Anashin, Uniformly distributed sequences of p-adic integers, Mathematical Notes 55 (1994), 109– 133. [5] V. Anashin, Uniformly distributed sequences over p-adic integers, In A.J. van der Poorten, I. Shparlinski, and H.G. Zimmer, editors, Proc. of International Conf. “Number theoretic and algebraic methods in computer science” (Moscow, June–July 1993), World Scientific, 1995, 1–18. [6] V. Anashin, Pseudorandom number generation by p-adic ergodic transformations, 2004. Available from http://arxiv.org/abs/cs.CR/0401030. [7] V. Anashin, Non-archimedean ergodic theory and pseudorandom generators, The Computer Journal, 2007 (to appear). [8] L. Kotomina, Fast nonlinear congruential generators, Diploma Thesis, Russian State University for the Humanities, Moscow, 1999. [9] N. Koblitz, p-adic Numbers, p-adic Analysis, and Zeta-functions, Springer-Verlag, 1977. [10] K. Mahler, p-adic Numbers and their Functions, Cambridge tracts in Mathematics 76 (1980), Cambridge Univ. Press. [11] V. Anashin, Uniformly distributed sequences in computer algebra, or how to constuct program generators of random numbers, J. Math. Sci. 89 (1998), 1355–1390. [12] V. Anashin, Uniformly distributed sequences of p-adic integers, II, Discrete Math. Appl. 12 (2002), 527–590. Preprint available from http://arXiv.org/abs/math.NT/0209407. [13] V. Anashin, Pseudorandom number generation by p-adic ergodic transformations: An addendum, 2004, Available from http://arxiv.org/abs/cs.CR/0402060. [14] V.S. Anashin, Non-Archimedean Analysis, T -functions, and Cryptography, Lomonosow Moscow State University, International Summer School “Mathematical Methods and Technologies in Computer Science” Lecture Notes edition, 2006. Preprint available from http://arXiv.org/abs/cs.CR/0612038. [15] V.S. Anashin, Wreath products in stream cipher design, In Proc. of the International Security and Counteracting Terrorism Conference (Moscow, 2–3 November, 2005), Lomonosov Moscow State University, NATO-Russia Counsil. Moscow, 2006, 135–161. Preprint available from http://arXiv.org/abs/cs.CR/0602012. [16] L. Kuipers and H. Niederreiter, Uniform Distribution of Sequences, John Wiley & Sons, N.Y. etc., 1974. [17] A. Katok and B. Hasselblatt, Introduction to the Modern Theory of Dynamical Systems, Cambridge University Press, 1998. [18] V. Anashin, Ergodic transformations in the space of p-adic integers, In Andrei Yu. Khrennikov, Zoran Raki´c, and Igor V. Volovich, editors, Proc. of 2nd International Conference “p-adic Mathematical Physics” (Belgrade, Serbia and Montenegro, 15–21 September, 2005), AIP Conference Proceedings 826 (2006), 3–24, Melville, New York, American Institute of Physics. Preprint available from http://arXiv.org/abs/math.DS/0602083. [19] D. Knuth, The Art of Computer Programming, volume 2, Addison-Wesley, Third edition, 1998. [20] M.V. Larin, Transitive polynomial transformations of residue class rings, Discrete Mathematics and Applications 12 (2002), 127–140.
V. Anashin / Non-Archimedean Theory of T-Functions
57
[21] R. Rivest, Permutation polynomials modulo 2w , Finite fields and appl. 7 (2001), 287–292. [22] F. Emmerich, Equidistribution properties of quadratic congruential pseudorandom numbers, J. Comput. Appl. Math. 79 (1997), 207–217. [23] J. Eichenauer-Herrmann, Quadratic congruential pseudorandom numbers: distribution of lagged pairs, J. Comput. Appl. Math. 79 (1997), 75–85. [24] J. Eichenauer-Herrmann, E. Herrmann, and S. Wegenkittl, A survey of quadratic and inversive congruential pseudorandom numbers, Lect. Notes in Statistics 127 (1998), Springer-Verlag, 66–97.
58
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-58
Classification of the Cosets of RM(1, 7) in RM(3, 7) Revisited1 Yuri BORISSOV a An BRAEKEN b Svetla NIKOVA c,2 and Bart PRENEEL c a Institute of Mathematics and Informatics, Bulgarian Academy of Sciences, Sofia, Bulgaria b Department Industrial Sciences and Technology, Erasmus Hogeschool Brussel, Brussels, Belgium c Department Electrical Engineering, ESAT/COSIC, Katholieke Universiteit Leuven, Leuven, Belgium and IBBT, Belgium Abstract. Based on classification of Boolean cubic forms of seven variables given by X.D. Hou in 1996, we show how to efficiently classify the cosets of RM(1, 7) in RM(3, 7) under the action of the general affine group AGL(7, 2). At the same time the sizes of the orbits are determined. We discuss also, the correctness of our computations. Keywords. Boolean function, general affine group, Reed–Muller code, affine equivalence class
Introduction The interest in studying the different types of equivalence classes of Boolean functions dates already from 1960s. Its original application was in the design of switching circuits. There exists a huge amount of works on classification with respect to the action of various groups. A thorough survey on the literature is given in the textbook by Logachev, Salnikov and Yashchenko [1]. Let Vn be n-dimensional binary vector space. A Boolean function f in n variables is a mapping from Vn into V1 . We will denote by Fn the set of all Boolean functions in n variables. Let AGL(n, 2) be the group of affine transformations of variables: x → Ax + b, where A is nonsingular n × n binary matrix and b ∈ Vn is an arbitrary vector. We consider linear subspaces of Fn , invariant under the action of AGL(n, 2). For instance, binary polynomials whose degree does not exceed a fixed r ≤ n, constitute such a subspace (the truth tables of all such polynomials form the so-called Reed–Muller code RM(r, n) of order r and length 2n ). 1 This work was supported in part by the Concerted Research Action (GOA) Ambiorics 2005/11 of the Flemish Government, by the European Commission through the IST Programme under Contract IST-2002507932 ECRYPT and the IAPP–Belgian State–Belgian Science Policy BCRYPT. 2 Corresponding Author: Svetla Nikova, Department Electrical Engineering, ESAT/COSIC, Katholieke Universiteit Leuven, Leuven, Belgium and IBBT, Belgium; E-mail: [email protected].
Y. Borissov et al. / Classification of the Cosets of RM(1, 7) in RM(3, 7) Revisited
59
In this paper we are interested in classification of the cosets of the RM(1, n) (first order Reed–Muller code) under the action of the general affine group AGL(n, 2). We will use the terms “affine equivalence class” and “orbit” as synonyms. For small values of n there are several known classifications: In 1972, Berlekamp and Welch [2] classified F5 into 48 affine equivalence classes using algebraic technique. In 1991, Maiorana [3] proved the existence of 150 357 orbits for n = 6 by means of computer search (see also http://www.isrc.qut.edu.au/people/fuller/). In 1995, using group-theoretical technique and computer search, Hou [4](among other things) computed the number of orbits in RM(3, 7)/ RM(1, 7) (namely 179 orbits). However, he has given neither the representatives nor the orbit sizes. In the present paper we are focused on this problem (partially considered in an earlier version [5]). We should also mention that in 1980 J. Denev and V. Tonchev established an asymptotic bound [6]. Their main result states that the number of affine equivalence classes of n the cosets of RM(1, n) is asymptotically equal to 22 −n−1 /| AGL(n, 2)|. This paper is organized as follows. In next section we recall some definitions, facts and formulate the problem. Then we explain our approach to the considered problem for classification of the cosets of RM(1, 7) in RM(3, 7). In fourth section we discuss the correctness of our computations. Finally, we end with some conclusions. All numerical results are present in the Appendix.
1. Definitions and Preliminaries First, for the sake of completeness we give the definitions of Walsh transform, autocor relation function and derivative of a Boolean function. Below stands for the ordinary integer summation, while + is used for the modulo 2 summation or component-wise modulo 2 summation when vectors are involved. A Boolean function f is uniquely determined by its Walsh transform, which is an integer-valued function over Vn that can be defined for all ω ∈ Vn as Wf (ω) =
x∈Vn
(−1)f (x)+x·ω = 2n − 2 wt(f + x · ω).
Here the dot product or scalar product of the vectors x = (x1 , x2 , . . . , xn ) and ω = (ω1 , ω2 , . . . , ωn ) is defined as x · ω = x1 ω1 + x2 ω2 + · · · + xn ωn . The weight of a function f is equal to the number of nonzero positions in the truth table of f and is denoted by wt(f ). We also, recall the definition of the autocorrelation function (or spectrum) of a Boolean function f , which is an integer-valued function over Vn that can be defined for all ω ∈ Vn as rf (ω) =
(−1)f (x)+f (x+ω) .
x∈Vn
Related to the autocorrelation spectrum is the definition of derivative of f with respect to the vector ω ∈ Vn as a Boolean function Dω f (x) = f (x) + f (x + ω).
60
Y. Borissov et al. / Classification of the Cosets of RM(1, 7) in RM(3, 7) Revisited
Definition. Two cosets of RM(r, n) with representatives f and g, respectively, are called affine equivalent when g(x) = f (Ax + b) + h(x) for some nonsingular A, b and h, where h is a Boolean function of degree ≤ r. In other words two cosets are affine equivalent if they belong to the same orbit under the action of AGL(n, 2) over the quotient space RM(n, n)/ RM(r, n). The general problem we consider in this paper is the following: Problem. Classify the cosets of RM(1, n) under the action of the general affine group AGL(n, 2) i.e., find the number of affine equivalence classes (orbits) and describe a representative for each class. This problem is related to the determination of the weight distribution of the cosets of the RM(1, n) or equivalently, to the approximation of Boolean functions by the affine functions (i.e., the Boolean functions whose degree is ≤ 1). Let us recall the following proposition (see, e.g., [7]). Proposition. The distribution of the absolute values of the Walsh transform is an affine invariant, i.e., for every two affine equivalent functions these distributions are equal. Similarly, every two affine equivalent functions have equal distributions of the absolute values of their autocorrelation spectra. Finally, we recall that the so-called Boolean forms are those functions which are represented by the binary homogenous polynomials.
2. Our Approach In order to overcome the large computational complexity of the problem for classifying RM(3, 7)/ RM(1, 7) we apply two main ideas: • We search for the representatives of different orbits of RM(3, 7)/ RM(1, 7) under the action of AGL(7, 2), starting from representatives of the eleven nontrivial orbits of RM(3, 7)/ RM(2, 7) as described by Hou [8] (independent work on that classification is given in [9]). For each such coset run through all functions which are sum of the representative with a quadratic Boolean form of 7 variables. So, we explore the space of 11 · 221 possibilities, which is feasible computational task. • To distinguish the affine inequivalent cosets of RM(1, 7) we use a special kind of invariant described as follows: For every explored function f compute all its 254 restrictions with respect to hyperplanes of the finite Euclidean geometry EG(7, 2) and determine the affine equivalence classes of RM(3, 6)/ RM(1, 6) to which they belong. The last task involves computation of derivatives with respect to all directions as well as the Walsh and the autocorrelation spectrum of functions in 6 variables. In this way a vector of length 34 (distribution of the classes) is obtained whose components are the frequencies of the classes to which restrictions of f belong. Clearly, this vector is an affine invariant since every hyperplane is
Y. Borissov et al. / Classification of the Cosets of RM(1, 7) in RM(3, 7) Revisited
61
transformed into hyperplane under the action of an affine transformation. It turns out that this invariant is capable to discriminate the 179 affine inequivalent cosets (see the Appendix). Simultaneously, we count the sizes of the orbits. Note that similar types of invariants are described by Brier and Langevin for the problem of classification of Boolean cubic forms of nine variables [10]. Herein, we describe more formally the algorithm for the problem involved in computation of the basic affine invariant. Namely, if f is a cubic Boolean function in 6 variables, how to determine the class of the coset of RM(1, 6) to which f belongs: Step 1. Determine the class of f in RM(3, 6)/ RM(2, 6): For every ω ∈ V6 \ 0
(a) Compute the derivative Dω f . (b) Determine the class of Dω f in RM(2, 6)/ RM(1, 6) and store it (according to Dickson’s theorem [11] there are four of them).
The collected distribution of classes of RM(2, 6)/ RM(1, 6) uniquely determines the class of f in RM(3, 6)/ RM(2, 6) (there exist 6 different distributions of this type) [8]. Step 2. Knowing the class of f in RM(3, 6)/ RM(2, 6), and computing the affine invariants connected with the Walsh and autocorrelation spectrum (see the Proposition), we uniquely determine the class of f in RM(3, 6)/ RM(1, 6). There are 34 such distributions [4].
3. The Correctness of Computations Before stating the next theorem, we will introduce a new notation. For a cubic Boolean form f of n variables and arbitrary ω ∈ Vn , let fω be the binary polynomial obtained from Dω f by deleting all linear terms. Clearly, fω is a quadratic Boolean form. We will need the following modification of a theorem which was for the first time stated by Desaki, Fujiwara and Kasami in [12]. Theorem. (i) Δf = {fω | ω ∈ Vn } is a linear subcode of RM(2, n). (ii) Let the subspace δf of RM(2, n) is defined by RM(2, n) = Δf ⊕ δf . Then δf is invariant under the transformation x → x + a for any a ∈ Vn (⊕ stands for direct sum). (iii) The size of any orbit consisting of affine equivalent cosets of RM(1, n) in f + RM(2, n) is divisible by 2dim Δf . In fact, this theorem could be stated in a more general settings. However, this particular form is sufficient for our goals here. The interested reader is referred to [12] for the proof. Using part (iii), we are able to check our computations. For example, the dimension of Δf4 is 6, and the cardinalities of all 10 cosets with representatives having cubic part f4 are divisible by 64, as can be seen from the Appendix. The proof of part (iii) of the Theorem implies also the possibility for further reduction of computational complexity by a factor of 2dim Δf confining the exploration in the space (f + δf )/ RM(1, n).
62
Y. Borissov et al. / Classification of the Cosets of RM(1, 7) in RM(3, 7) Revisited
Remark. Independently, this classification problem was considered in the work of Meng Qing-shu et al. [13]. In their paper, however, only the numbers of the orbits of RM(3, 7)/ RM(1, 7) in each of the representatives of the twelve orbits of RM(3, 7)/ RM(2, 7) are given. The results are consistent with ours.
4. Conclusion In the present paper we describe an approach to the problem for classification of the cosets of RM(1, 7) in RM(3, 7) under the action of the group AGL(7, 2). The affine invariant we make use of discriminates the 179 orbits of RM(3, 7)/ RM(1, 7). We count the size of any such orbit as well as we present a representative. Finally, by using a theorem from Coding Theory we are able to check our computations for correctness. This theorem can also be used to reduce the computational complexity of the task and might help the next case n = 8 to be attacked.
Acknowledgements Yuri Borissov wishes to thank the Division of Electronics and Information Engineering at Chonbuk National University, R. of Korea for their hospitality while preparing the final version of this paper.
References [1] O. A. Logachev, A. A. Salnikov, and V. V. Yashchenko, Boolean Functions in Coding Theory and Cryptography, Moscow, 2004 (in Russian). [2] E.R. Berlekamp and L.R. Welch, Weight distribution of the cosets of (32, 6) Reed–Muller code, IEEE Transactions on Information Theory IT-18(1) (1972), 203–207. [3] J. A. Maiorana, A classification of the cosets of the Reed–Muller code R(1, 6), Mathematics of Computation 57(195) (1991), 403-414. [4] X.-D. Hou, AGL(m, 2) acting on RM(r, m)/ RM(s, m), Journal of Algebra 171 (1995), 921–938. [5] A. Braeken, S. Nikova, Y. Borissov, and B. Preneel, Classification of cubic Boolean functions in 7 variables, Proc. of the 26th Symposium on Information Theory in the Benelux 2005, May 19-20, 2005, Brussels, Belgium, 285–292. [6] J. D. Denev and V. D. Tonchev, On the number of equivalence classes of Boolean functions under a transformation group, IEEE Transactions on Information Theory IT-26(5) (1980), 625–626. [7] B. Preneel, Analysis and design of cryptographic hash functions, Ph.D. Thesis, Katholieke Universiteit Leuven, 1993. [8] X.-D. Hou, GL(m, 2) acting on R(r, m)/R(r − 1, m), Discrete Mathematics 149 (1996), 99–122. [9] A.V. Cheremushkin, Methods of affine and linear classification of binary functions, Proc. of the Russian Academy of Sciences. Academy of Cryptography of Russian Federation. Procedings on Discrete Mathematics 4 (2001), 273–314. [10] E. Brier and Ph. Langevin, Classification of Boolean cubic forms of nine variables, IEEE Information Theory Workshop 2003, 179–182. [11] F.J. MacWilliams and N.J.A. Sloane, The Theory of Error-Correcting Codes, Elsevier Science Publishers B.V., 1977. [12] Y. Desaki, T. Fujiwara, and T. Kasami, The weight distributions of extended binary primitive BCH codes of length 128, IEEE Transactions on Information Theory, IT-43(4) (1997), 1364–1371. [13] Meng Qing-shu, Yang min, Zhang Huan-guo, and Liu Yu-zhen, Analysis of affinely equivalent Boolean functions, Cryptology ePrint Archive, Report 2005/025, http://eprint.iacr.org/.
Y. Borissov et al. / Classification of the Cosets of RM(1, 7) in RM(3, 7) Revisited
63
Table 1. Representatives of RM(3, 7)/ RM(2, 7) together with sizes of orbits Class
Representative
ν(3, 7, f )
f1 f2
0 123
1 11 811
f3 f4 f5 f6 f7
123 + 245 123 + 456 123 + 245 + 346 123 + 145 + 246 + 356 + 456 127 + 347 + 567
2 314 956 45 354 240 59 527 440 21 165 440 1 763 776
123 + 456 + 147 123 + 245 + 346 + 147 123 + 456 + 147 + 257 123 + 145 + 246 + 356 + 456 + 167 123 + 145 + 246 + 356 + 456 + 167 + 247
2 222 357 760 238 109 760 17 778 862 080 444 471 552 13 545 799 680
f8 f9 f10 f11 f12
Appendix Denote by ν(r, n, f ) the number of cosets in the orbit containing f + RM(r − 1, n). The values of ν(3, 7, fi ) for the twelve representatives fi , 1 ≤ i ≤ 12 of RM(3, 7)/ RM(2, 7) are represented in Table 1. The sizes of orbits and the distributions of absolute values of the Walsh and autocorrelation spectra of the 179 affine equivalence classes of RM(3, 7)/ RM(1, 7) can be found in the next table. Table 2. Coset of RM(3, 7) f1
f2
0 12 14 + 23 16 + 25 + 34 0 14
Walsh Transform
Autocorrelation Function
1 2 667 330 708
(0, 127), (128, 1) (0, 124), (64, 4) (0, 112), (32, 16)
1 763 776 8
(0, 64), (16, 64) (0, 120), (32, 7), (96, 1) (0, 118), (32, 8), (64, 2) (0, 112), (32, 16)
(128, 128) (0, 96), (128, 32) (0, 120), (128, 32) (0, 126), (128, 2) (64, 112), (128, 16) (0, 72), (64, 48), (128, 8) (0, 108), (64, 16), (128, 4) (0, 126), (128, 2) (0, 96), (64, 28), (128, 4) (0, 114), (64, 12), (128, 2) (0, 123), (64, 4), (128, 1) (0, 120), (64, 7), (128, 1) (32, 64), (64, 60), (128, 4)
840
24 + 15
11 760
16 + 24 + 34 45
20 160 17 920
45 + 17 + 26
752 640
(0, 64), (16, 64) (0, 96), (16, 28), (48, 2) (0, 88), (16, 32), (32, 8) (0, 64), (16, 64)
47 + 56
917 504
(8, 112), (24, 16)
32
(0, 96), (16, 30), (48, 1), (80, 1)
16 + 45
f3
Number of Cosets ( × ν(7, 3, f ))
0
3 766 320
64
Y. Borissov et al. / Classification of the Cosets of RM(1, 7) in RM(3, 7) Revisited
Table 2 (continued). Coset of RM(3, 7) 13
320
14
480
16
23 040
26
96
26 + 13
960
26 + 14
1 440
26 + 17
23 040
34 + 13 + 15
f4
Number of Cosets ( × ν(7, 3, f ))
192
Walsh Transform
Autocorrelation Function
(0, 115), (32, 12), (64, 1) (0, 92), (16, 28), (48, 4) (0, 92), (16, 30), (32, 4), (48, 2) (0, 94), (16, 32), (64, 2) (0, 112), (32, 16)
(0, 36), (32, 64), (64, 24), (128, 4) (0, 48), (32, 64), (64, 12), (128, 4) (0, 78), (32, 32), (64, 16), (128, 2) (0, 66), (64, 60), (128, 4) (0, 102), (64, 24), (128, 2) (0, 114), (64, 12), (128, 2) (0, 60), (32, 64), (128, 1) (0, 60), (32, 64), (128, 4) (0, 90), (32, 32), (128, 2) (0, 126), (128, 2) (0, 123), (64, 4), (128, 1) (0, 108), (32, 16), (64, 3), (128, 1) (0, 105), (32, 16), (64, 6), (128, 1) (0, 111), (32, 16), (128, 1) (0, 96), (32, 16), (64, 15), (128, 1) (0, 111), (32, 16), (128, 1) (0, 105), (32, 16), (64, 6), (128, 1) (0, 96), (32, 16), (64, 15), (128, 1) (32, 98), (64, 28), (128, 2) (0, 48), (32, 66), (64, 12), (128, 2)
(0, 88), (16, 32), (32, 8) (0, 88), (16, 32), (32, 8) (0, 112), (32, 16)
34 + 16
69 120
13 + 15 + 26 + 34 34 + 26 + 17
576 69 120
(0, 88), (16, 32), (32, 8) (0, 64), (16, 64) (0, 64), (16, 64)
36 + 17
983 040
(8, 112), (24, 16)
46 + 17
491 520
46 + 35 + 17
184 320
(0, 76), (16, 48), (32, 4) (0, 64), (16, 64)
67
184 320
67 + 13
327 680
67 + 14
491 520
67 + 34 + 14 + 13
196 608
0
64
14
3 136
17
7 168
15 + 24
18 816
24 + 17
150 528
34 + 25 + 16
10 752
34 + 25 + 17
301 056
(8, 120), (24, 4), (40, 4) (0, 64), (16, 64) (0, 76), (16, 48), (32, 4) (8, 120), (24, 4), (40, 4) (0, 64), (8, 49), (24, 14), (72, 1) (0, 64), (8, 49), (24, 12), (40, 2), (56, 1) (0, 48), (8, 56), (16, 14), (24, 8), (48, 2) (0, 64), (8, 46), (24, 15), (40, 3) (0, 44), (8, 56), (16, 16), (24, 8), (32, 4) (0, 64), (8, 42), (24, 21), (40, 1) (0, 32), (8, 56), (16, 32), (24, 8)
(0, 72), (32, 42), (64, 13), (128, 1) (0, 72), (32, 50), (64, 4), (128, 2) (0, 96), (32, 26), (64, 5), (128, 1) (0, 84), (32, 42), (128, 2) (0, 108), (32, 18), (64, 1), (128, 1)
Y. Borissov et al. / Classification of the Cosets of RM(1, 7) in RM(3, 7) Revisited
Table 2 (continued). Coset of RM(3, 7) 47 + 17
f5
100 352
47 + 25 + 17
131 360
47 + 35 + 26 + 16
602 112
0 12 + 13
448 1 792
15
14 336
17
114 688
12 + 13 + 25 14 + 25 25 + 15 + 16
448 1 344 14 336
25 + 17
344 064
26 + 17
344 064
27
3 584
27 + 13
10 752
27 + 14
10 752
27 + 15
114 688
27 + 16
43 008
35 + 26 + 25 + 12 + 13 + 14 35 + 26 + 25 + 17
64
Walsh Transform
Autocorrelation Function
(0, 38), (8, 60), (16, 24), (24, 2), (32, 2), (40, 2) (0, 38), (8, 56), (16, 24), (24, 8), (32, 2) (0, 32), (8, 56), (16, 32), (24, 8) (0, 91), (16, 32), (32, 4), (64, 1) (0, 92), (16, 30), (32, 4), (48, 2) (0, 90), (16, 31), (32, 6), (48, 1) (8, 116), (24, 10), (40, 2) (0, 112), (32, 16)
(0, 87), (32, 34), (64, 6), (128, 1)
(0, 88), (16, 32), (32, 8) (0, 88), (16, 32), (32, 8) (0, 76), (16, 48), (32, 4) (8, 112), (24, 16) (0, 80), (16, 46), (48, 2) (0, 88), (16, 32), (32, 8) (0, 76), (16, 48), (32, 4) (8, 112), (24, 16) (0, 76), (16, 48), (32, 4) (0, 64), (16, 64)
114 688
(0, 64), (16, 64)
3 584
(0, 64), (16, 64)
43 008
(0, 64), (16, 64)
56 + 17
458 752
(8, 112), (24, 16)
56 + 25 + 17
458 752
(0, 70), (16, 56), (32, 2) (0, 64), (8, 45), (24, 18), (56, 1) (0, 64), (8, 46), (24, 15), (40, 3)
35 + 27 + 13 + 14 35 + 27 + 16
f6
Number of Cosets ( × ν(7, 3, f ))
0 12 + 13
3 584 21 504
(0, 99), (32, 26), (64, 2), (128, 1) (0, 105), (32, 22), (128, 1) (0, 18), (32, 96), (64, 12), (128, 2) (0, 54), (32, 64), (64, 8), (128, 2) (0, 60), (32, 64), (64, 2), (128, 2) (0, 84), (32, 40), (64, 3), (128, 1) (0, 54), (32, 64), (64, 8), (128, 2) (0, 90), (32, 32), (64, 4), (128, 2) (0, 78), (32, 48), (128, 2) (0, 93), (32, 32), (64, 2), (128, 1) (0, 102), (32, 24), (64, 1), (128, 1) (0, 69), (32, 48), (64, 10), (128, 1) (0, 87), (32, 32), (64, 8), (128, 1) (0, 105), (32, 16), (64, 6), (128, 1) (0, 102), (32, 24), (64, 1), (128, 1) (0, 93), (32, 32), (64, 2), (128, 1) (0, 126), (128, 2) (0, 111), (32, 16), (128, 1) (0, 123), (64, 4), (128, 1) (0, 111), (32, 16), (128, 1) (0, 99), (32, 28), (128, 1) (0, 99), (32, 28), (128, 1) (0, 36), (32, 90), (128, 2) (0, 60), (32, 66), (128, 2)
65
66
Y. Borissov et al. / Classification of the Cosets of RM(1, 7) in RM(3, 7) Revisited
Table 2 (continued). Coset of RM(3, 7) 17
f8
129 024
Walsh Transform
Autocorrelation Function (0, 81), (32, 46), (128, 1)
23 + 14
645 120
23 + 14 + 12
516 096
(0, 32), (8, 60), (16, 32), (24, 2), (40, 2) (0, 64), (8, 42), (24, 21), (40, 1) (0, 38), (8, 56), (16, 24), (24, 8), (32, 2) (0, 32), (8, 56), (16, 32), (24, 8) (8, 126), (56, 1), (72, 1) (0, 90), (16, 31), (32, 6), (48, 1) (8, 120), (24, 4), (40, 4) (0, 76), (16, 48), (32, 4) (8, 112), (24, 16)
23 + 15
483 840
(8, 112), (24, 16)
34+25+23+16+14
368 640
(0, 64), (16, 64)
23 + 15 + 14
f7
Number of Cosets ( × ν(7, 3, f ))
7 680
23 + 16
1 290 240
25 + 17
645 120
0
128
12
43 008
13
40 320
0
128
15
768
17
1 024
15 + 23
3 072
23 + 17
2 048
15 + 24
1 152
25
4 608
25 + 16
9 216
25 + 17
18 432
(0, 37), (8, 64), (16, 24), (32, 2), (64, 1) (0, 38), (8, 64), (16, 22), (32, 2), (48, 2) (0, 48), (8, 55), (16, 16), (24, 7), (40, 1), (56, 1) (0, 48), (8, 52), (16, 16), (24, 10), (40, 2) (0, 60), (8, 50), (24, 13), (32, 4), (40, 1) (0, 34), (8, 64), (16, 24), (32, 6) (0, 36), (8, 64), (16, 23), (32, 4), (48, 1) (0, 34), (8, 64), (16, 24), (32, 6) (0, 48), (8, 52), (16, 16), (24, 10), (40, 2)
(0, 84), (32, 42), (128, 2) (0, 93), (32, 34), (128, 1) (0, 105), (32, 22), (128, 1) (16, 64), (64, 63), (128, 1) (0, 45), (16, 64), (64, 18), (128, 1) (0, 48), (16, 64), (64, 15), (128, 1) (0, 57), (16, 64), (64, 6), (128, 1) (0, 60), (16, 64), (64, 3), (128, 1) (0, 60), (16, 64), (64, 3), (128, 1) (0, 63), (16, 64), (128, 1) (16, 32), (32, 82), (64, 13), (128, 1) (0, 36), (16, 32), (32, 50), (64, 9), (128, 1) (0, 27), (16, 32), (32, 58), (64, 10), (128, 1) (0, 63), (16, 32), (32, 26), (64, 6), (128, 1) (0, 54), (16, 32), (32, 34), (64, 7), (128, 1) (0, 72), (16, 32), (32, 18), (64, 5), (128, 1) (0, 48), (16, 32), (32, 42), (64, 5), (128, 1) (0, 66), (16, 32), (32, 26), (64, 3), (128, 1) (0, 57), (16, 32), (32, 34), (64, 4), (128, 1)
Y. Borissov et al. / Classification of the Cosets of RM(1, 7) in RM(3, 7) Revisited
Table 2 (continued). Coset of RM(3, 7)
Walsh Transform
Autocorrelation Function
18 432
(0, 48), (8, 48), (16, 16), (24, 16)
25 + 23 + 17
18 423
27
24 576
27 + 15
73 728
27 + 23
12 288
27 + 15 + 23
36 684
34 + 25 + 16
4 608
(0, 48), (8, 50), (16, 16), (24, 13), (40, 1) (0, 38), (8, 60), (16, 24), (24, 2), (32, 2), (40, 2) (0, 38), (8, 56), (16, 24), (24, 8), (32, 2) (0, 46), (8, 56), (16, 15), (24, 8), (32, 2), (48, 1) (0, 44), (8, 56), (16, 16), (24, 8), (32, 4) (0, 22), (8, 64), (16, 40), (32, 2)
34 + 27 + 23
12 288
34 + 27 + 23 + 15
36 864
35 + 26
12 288
(0, 48), (8, 48), (16, 16), (24, 16)
35 + 26 + 17
36 864
(0, 28), (8, 64), (16, 32), (32, 4)
35 + 26 + 23 + 17
12 288
(0, 28), (8, 64), (16, 32), (32, 4)
27 + 35
147 456
35 + 27 + 16
147 456
35 + 27 + 34
147 456
35 + 27 + 23 + 16
147 456
57 + 27
147 456
57 + 27 + 16
294 912
(0, 38), (8, 56), (16, 24), (24, 8), (32, 2) (0, 32), (8, 56), (16, 32), (24, 8) (0, 38), (8, 56), (16, 24), (24, 8), (32, 2) (0, 32), (8, 56), (16, 32), (24, 8) (0, 38), (8, 58), (16, 24), (24, 5), (32, 2), (40, 1) (0, 38), (8, 56), (16, 24), (24, 8), (32, 2)
(0, 75), (16, 32), (32, 18), (64, 2), (128, 1) (0, 66), (16, 32), (32, 26), (64, 3), (128, 1) (0, 57), (16, 32), (32, 34), (64, 4), (128, 1) (0, 75), (16, 32), (32, 18), (64, 2), (128, 1) (0, 48), (16, 32), (32, 42), (64, 5), (128, 1) (0, 66), (16, 32), (32, 26), (64, 3), (128, 1) (0, 84), (16, 32), (32, 10), (64, 1), (128, 1) (0, 66), (16, 32), (32, 26), (64, 3), (128, 1) (0, 84), (16, 32), (32, 10), (64, 1), (128, 1) (0, 72), (16, 32), (32, 22), (64, 1), (128, 1) (0, 72), (16, 32), (32, 22), (64, 1), (128, 1) (0, 72), (16, 32), (32, 22), (64, 1), (128, 1) (0, 72), (16, 32), (32, 22), (64, 1), (128, 1) (0, 81), (16, 32), (32, 14), (128, 1) (0, 72), (16, 32), (32, 22), (64, 1), (128, 1) (0, 81), (16, 32), (32, 14), (128, 1) (0, 63), (16, 32), (32, 30), (64, 2), (128, 1) (0, 72), (16, 32), (32, 22), (64, 1), (128, 1)
25 + 23 + 16
Number of Cosets ( × ν(7, 3, f ))
(0, 44), (8, 56), (16, 16), (24, 8), (32, 4) (0, 32), (8, 56), (16, 32), (24, 8)
67
68
Y. Borissov et al. / Classification of the Cosets of RM(1, 7) in RM(3, 7) Revisited
Table 2 (continued). Coset of RM(3, 7) 57 + 34 + 27 + 16 57 + 36 + 27
f9
f10
Number of Cosets ( × ν(7, 3, f ))
147 456 589 824
Walsh Transform
Autocorrelation Function
(0, 32), (8, 56), (16, 32), (24, 8) (0, 35), (8, 56), (16, 28), (24, 8), (32, 1) (8, 119), (24, 7), (40, 1), (56, 1) (8, 116), (24, 10), (40, 2)
(0, 81), (16, 32), (32, 14), (128, 1) (0, 75), (16, 32), (32, 20), (128, 1)
0
1 024
15
21 504
17
14 336
(0, 78), (16, 47), (32, 2), (48, 1)
23 + 17
14 336
(0, 88), (16, 32), (32, 8)
25 + 16
86 016
(0, 76), (16, 48), (32, 4)
26 + 15
43 008
(8, 112), (24, 16)
27 + 17 + 15
57 344
(8, 112), (24, 16)
35 + 27 + 16 + 15
24 576
(0, 64), (16, 64)
56
229 376
(0, 76), (16, 48), (32, 4)
56 + 17
229 376
(8, 114), (24, 13), (40, 1)
56 + 16 + 15
688 128
(0, 76), (16, 48), (32, 4)
56 + 27 + 15
688 128
(8, 112), (24, 16)
768
(0, 40), (8, 57), (16, 24), (24, 6), (56, 1) (0, 38), (8, 60), (16, 23), (24, 4), (32, 2), (48, 1) (0, 40), (8, 58), (16, 24), (24, 3), (40, 3) (0, 40), (8, 56), (16, 24), (24, 6), (40, 2)
0
13
9 216
15
1 536
16
9 216
(16, 64), (32, 56), (64, 7), (128, 1) (0, 36), (16, 64), (32, 24), (64, 3), (128, 1) (0, 27), (16, 64), (32, 32), (64, 4), (128, 1) (0, 27), (16, 64), (32, 32), (64, 4), (128, 1) (0, 45), (16, 64), (32, 16), (64, 2), (128, 1) (0, 54), (16, 64), (32, 8), (64, 1), (128, 1) (0, 54), (16, 64), (32, 8), (64, 1), (128, 1) (0, 63), (16, 64), (128, 1) (0, 42), (16, 64), (32, 20), (64, 1), (128, 1) (0, 42), (16, 64), (32, 20), (64, 1), (128, 1) (0, 42), (16, 64), (32, 20), (64, 1), (128, 1) (0, 51), (16, 64), (32, 12), (128, 1) (0, 12), (16, 48), (32, 64), (64, 3), (128, 1) (0, 33), (16, 48), (32, 44), (64, 2), (128, 1) (0, 36), (16, 48), (32, 40), (64, 3), (128, 1) (0, 42), (16, 48), (32, 36), (64, 1), (128, 1)
Y. Borissov et al. / Classification of the Cosets of RM(1, 7) in RM(3, 7) Revisited
Table 2 (continued). Coset of RM(3, 7) 23 + 14
Number of Cosets ( × ν(7, 3, f ))
18 432
15 + 23
9 216
23 + 16
36 864
23 + 16 + 13
18 432
24 + 15
768
24 + 16
9 216
26 + 16
9 216
27 + 17 + 16
18 432
27 + 23 + 17 + 13
512
27 + 23 + 17 + 13
512
27+23+17+16+13
9 216
34 + 16
6 144
34 + 16 + 13
36 864
34 + 17 + 16 + 13
18 432
34+23+17+16+13
36 864
34 + 26 + 23
3 072
34 + 26 + 23 + 14
3 072
34+26+23+17+13
6 144
Walsh Transform
Autocorrelation Function
(0, 46), (8, 54), (16, 16), (24, 9), (32, 2), (40, 1) (0, 36), (8, 60), (16, 24), (24, 4), (32, 4) (0, 36), (8, 60), (16, 24), (24, 4), (32, 4) (0, 46), (8, 52), (16, 16), (24, 12), (32, 2) (0, 40), (8, 54), (16, 24), (24, 9), (40, 1) (0, 40), (8, 52), (16, 24), (24, 12)
(0, 45), (16, 48), (32, 32), (64, 2), (128, 1) (0, 57), (16, 48), (32, 20), (64, 2), (128, 1) (0, 54), (16, 48), (32, 24), (64, 1), (128, 1) (0, 54), (16, 48), (32, 24), (64, 1), (128, 1) (0, 60), (16, 48), (32, 16), (64, 3), (128, 1) (0, 66), (16, 48), (32, 12), (64, 1), (128, 1) (0, 54), (16, 48), (32, 24), (64, 1), (128, 1) (0, 54), (16, 48), (32, 24), (64, 1), (128, 1) (0, 36), (16, 48), (32, 40), (64, 3), (128, 1) (0, 36), (16, 48), (32, 40), (64, 3), (128, 1) (0, 54), (16, 48), (32, 24), (64, 1), (128, 1) (0, 63), (16, 48), (32, 16), (128, 1)
(0, 40), (8, 54), (16, 24), (24, 9), (40, 1) (0, 40), (8, 54), (16, 24), (24, 9), (40, 1) (0, 48), (8, 52), (16, 15), (24, 12), (48, 1) (0, 58), (8, 52), (24, 12), (32, 6) (0, 46), (8, 52), (16, 16), (24, 12), (32, 2) (0, 30), (8, 60), (16, 32), (24, 4), (32, 2) (0, 40), (8, 52), (16, 24), (24, 12) (0, 30), (8, 60), (16, 32), (24, 4), (32, 2) (0, 30), (8, 60), (16, 32), (24, 4), (32, 2) (0, 36), (8, 60), (16, 24), (24, 4), (32, 4) (0, 24), (8, 60), (16, 40), (24, 4) (0, 40), (8, 52), (16, 24), (24, 12)
(0, 63), (16, 48), (32, 16), (128, 1) (0, 63), (16, 48), (32, 16), (128, 1) (0, 63), (16, 48), (32, 16), (128, 1) (0, 51), (16, 48), (32, 28), (128, 1) (0, 75), (16, 48), (32, 4), (128, 1) (0, 63), (16, 48), (32, 16), (128, 1)
69
70
Y. Borissov et al. / Classification of the Cosets of RM(1, 7) in RM(3, 7) Revisited
Table 2 (continued). Coset of RM(3, 7) 36
98 304
36 + 13
32 768
36 + 15 + 13
98 304
36 + 24 + 15
32 768
37
73 728
37 + 14
73 728
37 + 16
294 912
37 + 25 + 13
6 144
37 + 25 + 13 + 14
18 432
37 + 23 + 15 + 13
18 432
37 + 23 + 16
37 + 25 + 24 + 15 + 14 + 13 37 + 24 + 23 + 16 37 + 36
147 456
6 144
147 456 98 304
37 + 36 + 13
294 912
37 + 36 + 15
294 912
37+36+24+15+13 f11
Number of Cosets ( × ν(7, 3, f ))
0
98 304 6 144
Walsh Transform
Autocorrelation Function
(0, 33), (8, 60), (16, 28), (24, 4), (32, 3) (0, 40), (8, 54), (16, 24), (24, 9), (40, 1) (0, 40), (8, 52), (16, 24), (24, 12) (0, 27), (8, 60), (16, 36), (24, 4), (32, 1) (0, 38), (8, 58), (16, 24), (24, 5), (32, 2), (40, 1) (0, 38), (8, 56), (16, 24), (24, 8), (32, 2) (0, 35), (8, 56), (16, 28), (24, 8), (32, 1) (0, 40), (8, 56), (16, 23), (24, 8), (48, 1) (0, 44), (8, 56), (16, 16), (24, 8), (32, 4) (0, 38), (8, 56), (16, 24), (24, 8), (32, 2) (0, 38), (8, 56), (16, 24), (24, 8), (32, 2) (0, 32), (8, 56), (16, 32), (24, 8)
(0, 57), (16, 48), (32, 22), (128, 1)
(0, 32), (8, 56), (16, 32), (24, 8) (0, 35), (8, 58), (16, 28), (24, 5), (32, 1), (40, 1) (0, 38), (8, 56), (16, 24), (24, 8), (32, 2) (0, 35), (8, 56), (16, 28), (24, 8), (32, 1) (0, 32), (8, 56), (16, 32), (24, 8) (0, 30), (8, 64), (16, 31), (32, 2), (48, 1)
(0, 51), (16, 48), (32, 28), (128, 1) (0, 63), (16, 48), (32, 16), (128, 1) (0, 69), (16, 48), (32, 10), (128, 1) (0, 48), (16, 48), (32, 30), (64, 1), (128, 1) (0, 60), (16, 48), (32, 18), (64, 1), (128, 1) (0, 63), (16, 48), (32, 16), (128, 1) (0, 36), (16, 48), (32, 42), (64, 1), (128, 1) (0, 48), (16, 48), (32, 30), (64, 1), (128, 1) (0, 60), (16, 48), (32, 18), (64, 1), (128, 1) (0, 57), (16, 48), (32, 22), (128, 1) (0, 72), (16, 48), (32, 6), (64, 1), (128, 1) (0, 69), (16, 48), (32, 10), (128, 1) (0, 51), (16, 48), (32, 28), (128, 1) (0, 57), (16, 48), (32, 22), (128, 1) (0, 63), (16, 48), (32, 16), (128, 1) (0, 69), (16, 48), (32, 10), (128, 1) (16, 96), (32, 30), (64, 1), (128, 1)
Y. Borissov et al. / Classification of the Cosets of RM(1, 7) in RM(3, 7) Revisited
Table 2 (continued). Coset of RM(3, 7)
Walsh Transform
Autocorrelation Function
5 120
(0, 24), (8, 64), (16, 39), (48, 1)
23 + 12
15 360
(0, 34), (8, 64), (16, 24), (32, 6)
23 + 17
61 440
25
30 720
(0, 48), (8, 50), (16, 16), (24, 13), (40, 1) (0, 28), (8, 64), (16, 32), (32, 4)
27
737 280
(0, 12), (16, 96), (32, 18), (64, 1), (128, 1) (0, 12), (16, 96), (32, 18), (64, 1), (128, 1) (0, 12), (16, 96), (32, 18), (64, 1), (128, 1) (0, 24), (16, 96), (32, 6), (64, 1), (128, 1) (0, 21), (16, 96), (32, 10), (128, 1)
27 + 14
245 760
23
34+25+17+16+14
27 + 34
27 + 23 + 24 f12
Number of Cosets ( × ν(7, 3, f ))
10 240
983 040
2 048
0
129 024
12
16 128
16 + 15 + 13
32 256
17 + 15 + 13 + 12
128
23
110 592
23 + 12
258 048
23 + 12 + 13
129 024
23 + 15
387 072
23 + 15 + 13
387 072
(0, 38), (8, 56), (16, 24), (24, 8), (32, 2) (0, 32), (8, 58), (16, 32), (24, 5), (40, 1) (0, 48), (8, 48), (16, 16), (24, 16) (0, 35), (8, 56), (16, 28), (24, 8), (32, 1) (0, 60), (8, 48), (24, 16), (32, 4) (0, 39), (8, 56), (16, 24), (24, 7), (32, 1), (40, 1) (0, 36), (8, 58), (16, 27), (24, 6), (48, 1) (0, 34), (8, 60), (16, 28), (24, 3), (32, 2), (40, 1) (0, 28), (8, 63), (16, 36), (56, 1) (0, 36), (8, 56), (16, 28), (24, 7), (40, 1) (0, 37), (8, 58), (16, 24), (24, 6), (32, 3) (0, 39), (8, 54), (16, 24), (24, 10), (32, 1) (0, 34), (8, 58), (16, 28), (24, 6), (32, 2) (0, 39), (8, 54), (16, 24), (24, 10), (32, 1)
(0, 21), (16, 96), (32, 10), (128, 1) (0, 24), (16, 96), (32, 6), (64, 1), (128, 1) (0, 27), (16, 96), (32, 4), (128, 1) (16, 96), (32, 30), (64, 1), (128, 1) (0, 36), (16, 64), (32, 27), (128, 1) (0, 24), (16, 64), (32, 39), (128, 1) (0, 36), (16, 64), (32, 27), (128, 1) (16, 64), (32, 63), (128, 1) (0, 42), (16, 64), (32, 21), (128, 1) (0, 42), (16, 64), (32, 21), (128, 1) (0, 48), (16, 64), (32, 15), (128, 1) (0, 48), (16, 64), (32, 15), (128, 1) (0, 48), (16, 64), (32, 15), (128, 1)
71
72
Y. Borissov et al. / Classification of the Cosets of RM(1, 7) in RM(3, 7) Revisited
Table 2 (continued). Coset of RM(3, 7) 23 + 15 + 13 + 12
25 + 16 + 13
25+17+15+12+13
Number of Cosets ( × ν(7, 3, f ))
43 008
48 384
8 064
34 + 25 + 12
258 048
34 + 25 + 16 + 12
258 048
34 + 26 + 17 + 15 + 14 + 13 + 12
32 256
Walsh Transform
Autocorrelation Function
(0, 45), (8, 54), (16, 16), (24, 10), (32, 3) (0, 34), (8, 58), (16, 28), (24, 6), (32, 2) (0, 28), (8, 60), (16, 36), (24, 3), (40, 1) (0, 36), (8, 54), (16, 28), (24, 10) (0, 31), (8, 58), (16, 32), (24, 6), (32, 1) (0, 28), (8, 58), (16, 36), (24, 6)
(0, 36), (16, 64), (32, 27), (128, 1) (0, 48), (16, 64), (32, 15), (128, 1) (0, 48), (16, 64), (32, 15), (128, 1) (0, 54), (16, 64), (32, 9), (128, 1) (0, 54), (16, 64), (32, 9), (128, 1) (0, 60), (16, 64), (32, 3), (128, 1)
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-73
73
On Boolean Functions with Generalized Cryptographic Properties1 An BRAEKEN a Ventzislav NIKOV b Svetla NIKOVA c,2 and Bart PRENEEL c a Department Industrial Sciences and Technology, Erasmus Hogeschool Brussel, Brussels, Belgium b Innovation and Development Center Leuven, NXP Semiconductors, Belgium c Department Electrical Engineering, ESAT/COSIC, Katholieke Universiteit Leuven, Leuven, Belgium and IBBT, Belgium Abstract. By considering a new metric, we generalize cryptographic properties of Boolean functions such as resiliency and propagation characteristics. These new definitions result in a better understanding of the properties of Boolean functions and provide a better insight in the space defined by this metric. This approach leads to the construction of “hand-made” Boolean functions, i.e., functions for which the security with respect to some specific monotone sets of inputs is considered, instead of the security with respect to all possible monotone sets with the same cardinality, as in the usual definitions. In this way, we are able to relax some trade-offs between important properties of Boolean functions. We show relations between resilient Boolean functions, linear codes, monotone span programs, and orthogonal arrays in this generalized setting. Keywords. Boolean function, resiliency, propagation characteristic, monotone set
Introduction For any two binary vectors x = (x1 , x2 , . . . , xn ) and y = (y1 , y2 , . . . , yn ) in Fn2 , define the sets δ(x, y) = {i : xi = yi } and sup(x) = {i : xi = 0}. Denote the size of a set A with |A|. Then the Hamming distance between the binary vectors x and y is equal to d(x, y) = |δ(x, y)| and the Hamming weight of x is wt(x) = | sup(x)|. It was noted that δ(x, y) has properties similar to a metric and sup(x) has properties similar to a norm [3,4]. 1 This work was supported in part by the Concerted Research Action (GOA) Ambiorics 2005/11 of the Flemish Government, by the European Commission through the IST Programme under Contract IST-2002507932 ECRYPT and the IAPP–Belgian State–Belgian Science Policy BCRYPT. The material in this paper was presented in part at the 5th International Conference on Cryptology in India, Indocrypt 2004, Madras, December 20–22, 2004 [1] and in the 11th International Computing and Combinatorics Conference, COCOON 2005, Kunming, August 16–19, 2005 [2]. 2 Corresponding Author: Svetla Nikova, Department Electrical Engineering, ESAT/COSIC, Katholieke Universiteit Leuven, Leuven, Belgium and IBBT, Belgium; E-mail: [email protected].
74
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
Our goal is to use δ(x, y) instead of the Hamming distance and sup(x) instead of the Hamming weight and to explore the properties of this new space. For this purpose we consider monotone increasing and monotone decreasing sets. A set Δ is called monotone decreasing if for each set in Δ, its subsets belong to Δ. Similarly, a set Γ is said to be monotone increasing if for each set in Γ its supersets belong to Γ. As it has already been shown in [4], this new space with monotone sets can be used to generalize notions such as codes, minimum distance of a code, minimal codewords, generator and parity check matrices of a code, packing and covering, error-correcting capabilities, etc. In addition, monotone sets are widely used in Secret Sharing Schemes (SSS) to describe the sets of players which are allowed (disallowed) to reconstruct a secret. It has been recently pointed out [4] that the security of (verifiable) SSS can be derived from the properties of this space. This paper focuses on Boolean functions. In particular, we generalize the definition of t-resilient functions to functions which are resilient with respect to a monotone decreasing set Δ. Analogously, the parameters for defining the propagation characteristics (PC) of functions are replaced by monotone decreasing sets. Our aim is to provide a new insight to the previous results and to give a better understanding of which structural properties contribute in which way to known results. Moreover, relations between monotone span programs, linear codes, orthogonal arrays, and resilient functions in this generalized setting are shown. Motivation Very often the properties of resiliency and PC imply strong requirements to the rest of the parameters of a Boolean function. This leads to some trade-offs between them, since all relevant properties cannot be satisfied simultaneously. For example, Siegenthaler’s inequality [5] states that d ≤ n−t−1, where d is the algebraic degree, n is the dimension and t is the order of resiliency. By exactly defining which components need to satisfy a certain order of resiliency or PC, we can strengthen the weaker components by using other constructions and achieve in this way an optimal design. By means of example, we present a modified version of the combination generator (see Section 2.6 for concrete examples). Let Δ be the set consisting of all subsets of LFSRs for which the sum of the lengths is shorter than the security parameter for the (fast) correlation attack [6,7,8]. It is known that the feedback polynomials of the combining LFSRs should be primitive with distinct degrees in order to obtain maximum linear complexity [9]. Using t-resilient functions the degrees of LFSRs’ polynomials are uniformly chosen. But considering Δ-resilient functions instead, allows us to choose the degrees non-uniformly as well as to relax the requirements to the rest of the function parameters like nonlinearity, algebraic degree, etc. Using a Δ-resilient function as combiner f , the (fast) correlation attack can be avoided. Moreover, the degree of the function f should be high in order to counter the linear synthesis by Berlekamp–Massey [10]. Note that in this model the trade-off defined by the Siegenthaler’s inequality can be relaxed to another form as shown in Section 2.2. In order to preclude more recent algebraic attacks, one should also require that the function has no low degree multiples [11], but the algebraic immunity is out of scope of this paper.
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
75
The set Δ for defining the resiliency contains again the subsets of LFSRs for which the sum of the lengths is smaller than the security parameter for the (fast) correlation attack. Previous Work The first steps in considering generalizations of classical t-resiliency and functions satisfying PC properties has been made in [12]. The authors extended the properties of resiliency and propagation characteristics with respect to subspaces. So, our definitions can be seen as natural extensions of the definitions by Canteaut et al., instead of subspaces, to collections of subspaces. We also refer to the research on almost resilient functions and functions satisfying almost PC properties [13,14,15]. There, the concept is different and is based on probabilities but it is also introduced for relaxing the parameters and for avoiding (or relaxing) the trade-offs. Recently in [16] quasi-immune Boolean functions were defined. It turns out to be the first example of criterion which is looser than known criteria like correlation-immunity and resiliency. This relaxation is achieved by requiring not the same threshold for all variables. Organization of the Paper The paper is organized as follows. In Sect. 1, we give some background and preliminaries. Sect. 2 deals with Δ-resilient functions. We first investigate the notions algebraic and numerical degree, nonlinearity and divisibility results for the Walsh coefficients. Then different constructions are identified amongst the other we mention the constructions of Siegenthaler, Camion et al., Maiorana–MacFarland, the Direct sum and the Partial-Spread constructions. Next we establish a connection between linear codes, monotone span programs, Δ-resilient functions, and Δ-orthogonal arrays. We also give two concrete examples of Δ-resilient functions that have better trade-off between degree/nonlinearity and resiliency compared with the classical theory. In Sect. 3 we generalize functions which satisfy SAC and PC of some monotone decreasing sets. Then a relation between them and Δ-resilient functions is proven. In this setting we also investigate the question when a function may possess linear structures. Finally we investigate the algebraic degree and show several constructions of PC functions with respect to mononotone decreasing set Δ. The material in this paper has been partially presented in [1] and [2].
1. Background Define the set P = {1, . . . , n} and denote the power set of P by P (P). The set Γ (Γ ⊆ P (P)) is called monotone increasing if for each set A in Γ, each set containing A is also in Γ. Similarly, the set Δ (Δ ⊆ P (P)) is called monotone decreasing, if for each set B in Δ each subset of B is also in Δ. A monotone increasing set Γ can be described efficiently by the set Γ− consisting of the minimal elements (sets) in Γ, i.e., the elements in Γ for which no proper subset is also in Γ. Similarly, the set Δ+ consists of the maximal elements (sets) in Δ, i.e., the elements in Δ for which no proper superset is also in Δ.
76
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
We set Γ = Δc (Δc = P (P) \ Δ). Note that Γ is monotone increasing if and only if Δ is monotone decreasing. The dual sets Δ⊥ and Γ⊥ to Γ and Δ, respectively, are defined by Γ⊥ = {A : c A ∈ Δ} and Δ⊥ = {A : Ac ∈ Γ}. It is easy to see that Δ⊥ is monotone decreasing and Γ⊥ is monotone increasing. For two monotone decreasing sets Δ1 and Δ2 define Δ1 ⊎ Δ2 = {A = A1 ∪ A2 : A1 ∈ Δ1 , A2 ∈ Δ2 }. Note that Δ1 ⊎ Δ2 is again a monotone decreasing set. As it has been pointed out in [3,4], δ(x, y) has similar properties as a metric and sup(x) has similar properties as a norm. Notice that sup(x) and δ(x, y) = sup(x − y) are subsets of P and that P is partially ordered (i.e., x y if and only if sup(x) ⊆ sup(y)). For a vector u ∈ Fn2 , let u = u ⊕ 1 (where 1 denotes the all-1 vector), i.e., sup(u) = sup(u)c . The dot product w · x is equal to the component-wise inner product. For an element A ∈ Δ \ {0}, the subspace defined by A is given by UA = {u : sup(u) ⊆ A}. The dual UA⊥ of the subspace UA is the subspace consisting of the elements x such that x · y = 0 for all y ∈ UA . Consequently, UA⊥ is defined by Ac , i.e., UA⊥ = UAc = {u : sup(u) ⊆ Ac }. Let f (x) = f (x1 , . . . , xn ) be a Boolean function on Fn2 . The Walsh transform Wf of a Boolean function f (x) plays an important role in our work. It is a real-valued function, which is defined as follows Wf (w) = (−1)f (x)+w·x . x∈Fn 2
A function with equally distributed outputs is called a balanced function. It is clear that for balanced functions Wf (0) = 0. A Boolean function f (x) on Fn2 is said to be a plateaued function [17,18] if its Walsh transform Wf takes only three values 0 and ±λ, where λ is a positive integer, called the amplitude of the plateaued function. The nonlinearity Nf of a Boolean function f , which is defined by the minimum distance of the function to the set of affine functions A, i.e., Nf = ming∈A d(f, g), can be expressed using its Walsh transform as follows: Nf = 2n−1 − (1/2) maxw∈Fn2 |Wf (w)|. Other representations of a Boolean function f (x) are the algebraic normal form (ANF) f (x) =
%
au xu ,
au ∈ F2 ,
λu xu ,
λu ∈ C.
u∈Fn 2
and the numerical normal form (NNF) f (x) =
u∈Fn 2
The degree of the ANF is called the algebraic degree or shortly degree (denoted by deg(f )), the degree of the NNF is called the numerical degree of the Boolean function. The autocorrelation rf of a Boolean function f on Fn2 is a real-valued transformation, defined by rf (u) = 2−n
x∈Fn 2
(−1)f (x)+f (x+u) .
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
77
We will also need an important property of the sum of characters (see e.g., [19, p. 263]). Lemma 1. For any subspace V ⊆ Fn2 , we have
(−1)
w·x
x∈V
=
|V | if w ∈ V ⊥ ; 0 otherwise.
(1)
2. Δ-Resilient Functions 2.1. Definition and Relation with the Classical Definition of Resiliency In this section we generalize the definitions of resilient and correlation-immune (CI) functions with respect to a monotone decreasing set Δ. We assume that the set Δ is the maximal possible monotone decreasing set for which the function satisfies the corresponding property. The monotone increasing set Γ corresponding with Δ is defined by Γ = Δc . Definition 1. Let f (x) = f (x1 , . . . , xn ) be a Boolean function on Fn2 and Δ be a monotone decreasing set. Then f (x) is called Δ-resilient iff f (x)⊕w ·x is a balanced function for all w such that sup(w) ∈ Δ. Furthermore, f (x) is called Δ-CI iff f (x) ⊕ w · x is a balanced function for all w such that sup(w) ∈ Δ \ {∅}. When Δ = {A : |A| ≤ t} the definitions of Δ-resilient function and t-resilient function, (resp. Δ-CI function and t-CI function) coincide. The property balancedness of f (x) ⊕ w · x can be translated in terms of Walsh spectrum into Wf (w) = 0. Denote the set of vectors which have zero Walsh value by ZWf , then Δ ⊆ {sup(u) : u ∈ ZWf }. Note that ZWf ∩ Γ is not necessarily empty. We stress here that Δ is a collection of subspaces, i.e., it is not necessarily a subspace itself. Example 1. Consider the sets Δ+ and Γ− in the set F42 : Δ+ = {{1, 2}, {3, 4}} and Γ− = {{1, 4}, {2, 4}, {1, 3}, {2, 3}}. It is easy to verify that Γ = Δc and Γ ∩ Δ = ∅. A function which is Δ-resilient has zero Walsh coefficients for the inputs w, where sup(w) ∈ {∅, {1}, {2}, {3}, {4}, {1, 2}, {3, 4}}, i.e., for the vectors w ∈ {(0, 0, 0, 0), (1, 0, 0, 0), (0, 1, 0, 0), (0, 0, 1, 0), (0, 0, 0, 1), (1, 1, 0, 0), (0, 0, 1, 1)}. Next we establish the relationship with the classical definition of resiliency. For the monotone sets Γ and Δ define the parameters t1 = min{|A| : A ∈ Γ− }
and t2 = max{|A| : A ∈ Δ+ }.
From the definition of t1 and the fact that Γ is a monotone increasing set, each subset of size t1 −1 belongs to Δ, which implies that a Δ-resilient function is also (t1 −1)-resilient. Analogously, a Δ-CI function is (t1 − 1)-CI. The parameter t2 defines the maximum dimension of a subspace in which the Δ-resilient function is resilient. The following theorem shows a necessary and sufficient condition for Δ-resilient functions concerning its balancedness properties on affine subspaces.
78
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
Theorem 1. A Boolean function f on Fn2 is Δ-resilient if and only if f is balanced when restricted to any of the affine subspaces a + UA , where A ∈ Δ⊥ and a ∈ Fn2 . Proof. It suffices to show that a Boolean function f on Fn2 is resilient on the subspace V if and only if f is balanced on the affine subspaces a + V ⊥ , for all a ∈ Fn2 . Assume f is resilient on the subspace V , or equivalently Wf (v) = 0 for all v ∈ V . Now, for all a ∈ Fn2 using Eq. (1) the following equations are equivalent:
(−1)a·v Wf (v) = 0
v∈V
(−1)a·v
x∈a+V ⊥
(−1)f (x)
(−1)f (x)+v·x = 0
x∈Fn 2
v∈V
(−1)(a+x)·v +
v∈V
(−1)f (x)
|V |
(−1)(a+x)·v = 0
v∈V
⊥ x∈a+V /
(−1)f (x) = 0.
x∈a+V ⊥
The proof of the converse part of the theorem follows from the equivalence of the above equations. Remark 1. From the definition of resiliency, we deduce that if at most t components of a t-resilient function are fixed (this defines a subspace V of dimension n − t), the output is balanced. The previous theorem generalizes this property by proving that the function is also balanced on all affine subspaces of V ⊥ . Example 2. A possible truth table of the Δ-resilient function defined by Example 1 is given by the vector (0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 0). This function is exactly 1resilient. Moreover the function is resilient with respect to two subspaces of dimension 2 whose basis is given by e1 , e2 ! and e3 , e4 !, where ei is the all zero vector except for position i. One can check that the conditions of Theorem 1 are satisfied. 2.2. Algebraic and Numerical Degree Theorem 2. For a Δ-resilient function f on Fn2 all ANF coefficients au of f with sup(u) ∈ Γ⊥ and wt(u) > 1 are equal to zero. If sup(u) ∈ Γ⊥ and wt(u) = 1 then au = 1. Proof. The Siegenthaler’s inequality deg(f ) ≤ n − t − 1 for t-resilient functions on Fn2 relies on the observation that the coefficient au of the term xu in the ANF of f satisfies the following relation [20] au = 2wt(u)−1 − 2− wt(u)−1
Wf (w) mod 2.
(2)
wu
Consider now u with sup(u) ∈ Γ⊥ : then sup(u) ∈ Δ and hence sup(w) ⊆ sup(u) ∈ Δ for all w u. By definition of Δ-resilient functions Wf (w) = 0 for sup(w) ∈ Δ. Therefore au = 0 for all u such that sup(u) ∈ Γ⊥ and wt(u) > 1, but when
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
79
sup(u) ∈ Γ⊥ and wt(u) = 1 we obtain au = 1. Note that this is a generalization of the Siegenthaler’s inequality for t-resilient functions since if Δ = {A : |A| ≤ t} we have Γ⊥ = {B : |B| ≥ n − t}. Remark 2. For a Δ-CI function f on Fn2 all coefficients au from the ANF of f with sup(u) ∈ Γ⊥ , wt(u) > 1 and Wf (0) = 2n ± 2n−wt(u)−1 are equal to zero. If sup(u) ∈ Γ⊥ , wt(u) = 1 and Wf (0) = 2n − 2n−2 then au = 1. The proof for Δ-CI functions is analogous to the previous proof. This result generalizes the Siegenthaler’s inequality for t-CI functions of degree d, i.e., t ≤ n − d.
Remark 3. Notice that because of the factor mod 2 in (2) the coefficient au is 1 for u such that sup(u) ⊆ [Δ⊥ ]+ and Wf (u) = ±2n−wt(u)+1 . The maximum weight of such u defines the normal algebraic degree of the Boolean function. Knowledge of the coefficients of the ANF of f enables us to derive bounds (upper and lower) on the nonlinearity as shown in [21, Theorem 18 and Theorem 30]. We now generalize the definition of degree to this new setting. Definition 2. Define a monotone decreasing set Deg = {A : A ⊆ sup(u), au = 0}. We call the set Deg+ the “degree-set” of f . Remark 4. The “degree-set” of f satisfies the following relation: Deg ⊆ Δ⊥ ∪ {A : A ∈ Γ⊥ , |A| = 1} Moreover, the equality does not always hold; it is even possible that Deg+ ∩[Δ⊥ ]+ = ∅. Example 3. Applying Theorem 2 to the function of Example 1, we obtain that all coefficients au for u such that sup(u) ∈ Γ⊥ are zero, which gives additional information compared to the Siegenthaler’s inequality. Note that [Γ⊥ ]− = {{3, 4}, {1, 2}} and [Δ⊥ ]+ = {{2, 4}, {2, 3}, {1, 4}, {1, 3}}. Because the ANF of f is given by x1 x3 ⊕ x1 x4 ⊕ x2 x3 ⊕ x2 x4 ⊕ x1 ⊕ x3 , the equality Deg+ = [Δ⊥ ]+ holds in this example. Theorem 3. For a Δ-resilient function f (x) on Fn2 all coefficients λu from NNF of g(x) = f (x) ⊕ x1 ⊕ · · · ⊕ xn with sup(u) ∈ Γ⊥ are equal to zero. Moreover, all coefficients λu from NNF of g with sup(u) ∈ [Δ⊥ ]+ are non-zero. Proof. In [22] the authors characterize a t-resilient function f by the numerical degree of the function g(x) = f (x) ⊕ x1 ⊕ · · · ⊕ xn . Analogous to the Siegenthaler’s inequality the numerical degree of function g(x) is less than or equal to n − t − 1. The proof uses the connection between Walsh coefficients, i.e., Wf (w) = Wg (w) and the observation that the coefficient λu of the term xu in the NNF of g satisfies the following relation λu = 2−n (−2)wt(u)−1
Wg (w).
(3)
uw
Consider now u with sup(u) ∈ Γ⊥ : then sup(u) ∈ Δ and hence sup(v) ⊆ sup(u) ∈ Δ for all v u. By rewriting (3) into
80
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
λu = 2−n (−2)n−wt(u)−1
Wf (v)
(4)
vu
and by using the definition of Δ-resilient functions, we obtain that λu = 0 for all u such that sup(u) ∈ Γ⊥ . Note that there is one-to-one mapping between the coefficients λu equal to zero and the resiliency (see (4)). Namely let f be Δ-resilient and assume that there exists a zero coefficient λu from the NNF of g with sup(u) ∈ [Δ⊥ ]+ then f is (Δ ∪ sup(u))-resilient. As a consequence, the numerical degree of the function is equal to max{|A| : A ∈ [Δ⊥ ]+ }. Remark 5. From the previous proof, it is easy to derive that for Δ-CI functions f the coefficients λu of the NNF of g are nonzero if sup(u) ∈ Γ⊥ and also if sup(u) ∈ [Δ⊥ ]+ when Wf (0) = −Wf (u). 2.3. Nonlinearity In this section we improve the divisibility results on the Walsh coefficients of resilient functions which leads to an upper bound on the nonlinearity. Let fv be the (n − wt(v))variable function formed from f for which xj = 0 if vj = 1. The divisibility result by Sarkar and Maitra [23] can be generalized in the following way: Theorem 4. Let f be a Δ-resilient function on Fn2 . Then the Walsh coefficients of f satisfy the following divisibility conditions: Wf (v) ≡ 0 (mod 2t3 (v)+1 ), where sup(v) ∈ Γ and t3 (v) = min{wt(w) : w v, sup(w) ∈ Γ− }. Proof. In [24] the following relation has been proven:
uv
Wf (u) = 2wt(v) Wfv (0) = 2n − 2wt(v)+1 wt(fv ).
(5)
Choose v ∈ Γ− , hence for any u v we have u ∈ Δ thus Wf (u) = 0. Then the relation (5) reduces to Wf (v) = 2n − 2wt(v)+1 wt(fv ), which proves the result for v ∈ Γ− because wt(v) = t3 (v). We will not consider the trivial case when Γ− = {P}. We proceed further by induction on the weight of v. Let v∈ Γ \ Γ− . Then from relation (5) we have Wf (v) = 2n − 2wt(v)+1 wt(fv ) − uv Wf (u). By the hypothesis Wf (u) ≡ 0 (mod 2t3 (u)+1 ) for any u v and u ∈ Γ. Because t3 (v) is increasing for decreasing weight of v, it follows that t3 (u) > t3 (v) for all u v, u ∈ Γ, which completes the induction step and the proof.
Remark 6. Note that t3 (v) ≥ t1 = t + 1 for v with sup(v) ∈ Γ, therefore we have a stronger result comparing to the divisibility of 2t+2 proven in [23] for t-resilient functions, since some of the coefficients are divisible by a higher power of 2. Now we extend the result of Carlet and Sarkar in [24], namely Wf (v) ≡ 0 (mod 2t+2+⌊(n−t−2)/ deg(f )⌋ ).
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
81
Theorem 5. Let f be a Δ-resilient function on Fn2 . Then the Walsh coefficients of f satisfy the following divisibility conditions: Wf (v) ≡ 0 (mod 2t3 (v)+1+⌊(n−t3 (v)−1)/t4 (v)⌋ ), where sup(v) ∈ Γ and with parameters t3 (v) (as defined in Theorem 4) and t4 (v) = max{|A| : A ∈ Deg+ , A ⊆ sup(u) with u v, sup(u) ∈ Γ− }. Proof. Let f be a Δ-resilient function. If sup(v) ∈ Γ− , then for any u v we have u ∈ Δ thus Wf (u) = 0. Hence (5) reduces to Wf (v) = 2n − 2wt(v)+1 wt(fv ). Applying McEliece’s [25] theorem for cyclic codes on fv we obtain that wt(fv ) ≡ 0 (mod 2⌊(n−t3 (v)−1)/t4 (v)⌋ ), since t3 (v) = wt(v) and t4 (v) = deg(fv ). This proves the result for v with sup(v) ∈ Γ− . Let sup(v) ∈ Γ \ Γ− . By the hypothesis Wf (u) ≡ 0 (mod 2t3 (u)+1+⌊(n−t3 (u)−1)/t4 (u)⌋ ) for any u v and sup(u) ∈ Γ. Since t4 (u) is increasing with respect to wt(u) we obtain that Wf (u) ≡ 0 (mod 2t3 (u)+1+⌊(n−t3 (u)−1)/t4 (v)⌋ ) for any u v and sup(u) ∈ Γ. Note that by Remark 4 the degree offv is less or equal to t4 (v). Rewrite (5) in the form Wf (v) = 2n − 2wt(v)+1 wt(fv ) − uv Wf (u). To conclude the proof note that t3 (u) is decreasing with respect to wt(u) and that t4 (v) ≥ deg(fv ). Remark 7. The parameters t3 (v) and t4 (v) satisfy an inequality similar to the Siegenthaler’s inequality: t3 (v) + t4 (v) ≤ n. Thus Theorem 5 improves the result from Theorem 4 when t3 (v) and/or t4 (v) are smaller. Example 4. Consider again the function of Example 1. By definition of Γ− and Deg+ (see Example 3), the parameters t3 (v) = 2 and t4 (v) = 1 for all v ∈ Γ. Consequently, the Walsh values of the function are divisible by 8. The divisibility results of the Walsh coefficients for Δ-resilient functions result in bounds on the nonlinearity of these functions. Since the proof is similar to the one of [24], we only state the theorem. Theorem 6. Let f be a Δ-resilient function on Fn2 . Denote L1 = max {t3 (v) + 1 + ⌊(n − t3 (v) − 1)/t4 (v)⌋}, sup(v)∈Γ
L2 =
min {t3 (v) + 1 + ⌊(n − t3 (v) − 1)/t4 (v)⌋}
sup(v)∈Γ
and let nlmax(n) be the maximum possible nonlinearity for n-variable functions. Then 1. If n is even and L1 > n/2 − 1, then Nf ≤ 2n−1 − 2L1 .
82
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
2. If n is even and L1 ≤ n/2 − 1, then Nf ≤ 2n−1 − 2n/2−1 − 2L2 . 3. If n is odd and 2n−1 − 2L1 ≤ nlmax(n), then Nf ≤ 2n−1 − 2L1 . 4. If n is odd and 2n−1 − 2L1 > nlmax(n), then Nf is less than or equal to the highest multiple of 2L2 which is not greater than nlmax(n). 2.4. Constructions of Δ-Resilient Functions Lemma 2. If f is a Δ-resilient function on Fn2 , then g(x) = f (x) ⊕ 1 and h(x) = f (x1 ⊕ c1 , . . . , xn ⊕ cn ) where c ∈ Fn2 are Δ-resilient. Proof. The theorem follows immediately from the definition of Δ-resiliency and the fact that Wf (w) = Wh (w) = −Wg (w) for all w ∈ Fn2 . 2.4.1. The Constructions of Siegenthaler and Camion et al. Theorem 7. Let f1 and f2 be two Δ-resilient functions on Fn2 . The function f on Fn+1 2 defined by f (x1 , . . . , xn+1 ) = xn+1 f1 (x1 , . . . , xn ) ⊕ (1 ⊕ xn+1 )f2 (x1 , . . . , xn ) = Δ ⊎ P ({n + 1}). Furthermore, if w ∈ Γ and for any u w is Δ-resilient, where Δ =Δ ∪ P (sup(w)). it holds that Wf1 (u) + Wf2 (u) = 0 then f is Δ-resilient, where Δ λn+1 . The Walsh coefficients of f satisfy = (λ1 , . . . , λn ) and λ = λ, Proof. Let λ the following relation: . + (−1)λn+1 Wf λ Wf (λ) = Wf2 λ 1
(6)
∈ Δ. Since f1 and f2 are Δ-resilient functions then sup λ If λ satisfies sup(λ) ∈ Δ, it follows (from (6)) that Wf (λ) = 0. we have the following two cases: If λ satisfies sup(λ) ∈ Δ • sup(λ) ∈ Δ ⊎ P ({n + 1}), for which it is already proven that Wf (λ) = 0. • sup(λ) ∈ P (sup(w)) for some w ∈ Γ. We have now that λn+1 = 0 and thus Wf (λ) = Wf1 (λ) + Wf2 (λ) = 0 since λ w.
Remark 8. We extend Siegenthaler’s result [5] that states “if f1 and f2 are t-resilient then f is t-resilient” by showing that if f1 and f2 are Δ-resilient, then f is Δ-resilient. Similarly, we generalize the result of Camion et al. [26] which states “if also for all v such that wt(v) = t + 1 holds that Wf1 (v) + Wf2 (v) = 0, f is (t + 1)-resilient”, because we show that if f1 and f2 are Δ-resilient then f is Δ-resilient. The following corollary can be derived.
Corollary 1. Let f (x) = w · x be a linear function on Fn2 and wt(w) = d, i.e., without lost of generality we can suppose that f (x) = x1 ⊕ . . . ⊕ xd . Then f (x) is &d i=1 P ({1, . . . , n} \ {i}) -resilient function.
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
83
d P ({1, . . . , n} \ {i}) could be rewritten as Δ = P ({d + Proof. Note that Δ = i=1 1, . . . , n}) ⊎ {A : A ⊂ {1, . . . , d}}. It is easy to see now that {1, . . . , d} ∈ / Δ and hence f is (d − 1)-resilient. Also in accordance with Theorem 2 we have {i} ∈ Γ⊥ for i = 1, . . . , d. &
2.4.2. Direct Sum and Secondary Constructions Theorem 8. Let f1 be a Δ1 -resilient function on Fn2 1 and f2 be a Δ2 -resilient function on Fn2 2 then the direct sum f : Fn2 1 × Fn2 2 : (x, y) → f (x, y) = f1 (x) ⊕ f2 (y) = Δ1 ⊎ Δ2 ⊎ S -resilient function on Fn1 +n2 where is a Δ 2
S = {∅, {1}, · · · , {n1 }, {n1 + 1}, · · · , {n2 + n1 }}.
Proof. For λ = (λ1 , λ2 ), where λ1 ∈ Fn2 1 and λ2 ∈ Fn2 2 , the Walsh coefficient equals to at least one Wf (λ1 , λ2 ) = Wf1 (λ1 )Wf2 (λ2 ). For each λ = (λ1 , λ2 ) with sup(λ) ∈ Δ, of λi satisfies sup(λi ) ∈ Δi , since all elements of S have weight maximum one. Remark 9. The classical theorem says that for the direct sum of a t1 -resilient function and t2 -resilient function yields a (t1 + t2 + 1)-resilient function [27], which is reflected here by the set Δ.
The following lemma shows how to construct new Δ′ -resilient functions from a given Δ-resilient function where Δ′ ⊆ Δ. This theorem is an extension of Theorem 3 from [28].
Lemma 3. Consider a Boolean function f on Fn2 which is Δ-resilient. If there exists a subspace W and a subset Δ′ ⊆ Δ such that UA ∩ W = ∅ for all A ∈ Δ′ and the restriction of f to W ⊥ is equal to the constant c, then the function f ′ obtained from f by replacing the constant c by the constant c ⊕ 1 for all elements of W ⊥ is Δ′ -resilient. Proof. Recall that by equation (1) for v ∈ UA we have x∈W ⊥ (−1)1+v·x = 0. Thus the Walsh value of v ∈ UA can be computed as follows: Wf (v) = (−1)f (x)+v·x x∈Fn 2
=
(−1)f (x)+v·x +
(−1)f (x)+v·x
(−1)f
x∈W / ⊥
x∈W ⊥
=
(−1)f (x)+v·x
x∈W / ⊥
=
(−1)f
′
(x)+v·x
(−1)f
′
(x)+v·x
x∈W / ⊥
=
x∈W ⊥
= Wf ′ (v).
+
x∈W / ⊥
′
(x)+v·x
84
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
The following construction is a generalization of the change of basis construction. Lemma 4. Let Δ be a set containing less than n elements. Then any Boolean function f on Fn2 which has at least n linearly independent vectors w ∈ Fn2 such that Wf (w) = 0 can be transformed into a Δ-resilient function. Proof. For a nonsingular matrix D, it holds that g(x) = f (D−1 x) if and only if Wg (w) = Wf (Dw). Taking n linearly independent vectors which have zero Walsh value as rows of D, leads to the construction of a Δ-resilient function. 2.4.3. The Maiorana–MacFarland and Partial-Spread Constructions Theorem 9. Let φ be a function from Fn−r into Fr2 and let g be an arbitrary Boolean 2 n−r function on F2 , then the function f defined by Fr2 × Fn−r → F2 : (x, y) → f (x, y) = x · φ(y) ⊕ g(y) 2 is Δ-resilient with Δ = {A : ∃ y ∈ F2n−r such that sup(φ(y)) ⊆ A}c . Moreover, if φ is injective (resp. takes each value exactly 2 times), the function is plateaued with amplitude 2r (resp. 2r+1 ). Proof. Calculate the Walsh spectrum of the function (see [28]) (−1)x·φ(y)+g(y)+x·u+y·v = 2r Wf (u, v) = x∈Fr2 , y∈F2n−r
(−1)g(y)+y·v ,
y∈φ−1 (u)
where u ∈ Fr2 and v ∈ F2n−r . As a consequence, Wf (u, v) = 0 if there exists no y such that φ(y) = u. Remark 10. This construction always leads to P ({r + 1, . . . , n}) ⊆ Δ because φ is a mapping from F2n−r into Fr2 . It is clear that the higher the weight of the elements in the image of φ are, the higher the values t2 and |Δ| are.
In [28], Carlet showed how to construct resilient functions using the construction of bent functions in the class PS ap (a subclass of the Partial-Spreads class introduced in [29]). We generalize this construction for Δ-resilient functions. In this construction, the field Fn2 is identified with the field F2n . The isomorphism can be chosen such that the dot product is equal to TrF2n (xy), where TrF2n is the trace map from F2n to F2 . The notion of resiliency depends on the choice of the dot product on F2n . For aneven characteristic, there exists a dual basis {α1 , . . . , αn } n such that TrF2n (xy) = i=1 xi yi = x · y. Recall that for each linear mapping φ : F2n → F2m there exists a mapping φ∗ : F2m → F2n (called the adjoint) such that for every x ∈ F2m , y ∈ F2n one has that TrF2m (xφ(y)) = TrF2n (yφ∗ (x)) or in other words x · φ(y) = y · φ∗ (x). Theorem 10. Let g be a Boolean function on F2m , φ a linear mapping from F2n into F2m and a ∈ F2m such that a + φ(y) = 0 for all y ∈ F2n . Then the Boolean function f which is defined by
x F2m × F2n → F2 : (x, y) → f (x, y) = g + b · y, a + φ(y)
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
85
with b ∈ F2n is Δ-resilient with Δ = {A : ∃ z ∈ F2m such that sup(φ∗ (z) + b) ⊆ A}c . Proof. We refer to [28] for the computation of the Walsh transform for f in (u, v) ∈ F2m × F2n : (−1)g(z)+(b+v)·y+z(a+φ(y))·u Wf (u, v) = z∈F2m , y∈F2n
=
∗
(−1)g(z)+(b+v)·y+(za)·u+φ
(uz)·y
z∈F2m , y∈F2n
=
(−1)g(z)+(za)·u
z∈F2m
= 2n
∗
(−1)(b+v+φ
(uz))·y
y∈F2n
(−1)g(z)+u·(az) .
z∈F2m , φ∗ (uz)+v+b=0
If (u, v) ∈ Δ, then the set {z ∈ F2m : φ∗ (uz) + v + b = 0} is empty. Consequently Wf (u, v) is equal to 0 for all (u, v) ∈ Δ. Remark 11. Note that P ({1, . . . , m}) ⊆ Δ. The higher the weight of the elements of D is, the higher t2 (corresponding to the order of resiliency) and |Δ| are.
Remark 12. Note that for the extensions, we concentrated on the basic constructions. The more complicated constructions due to for instance Tarannikov in [30,31], can be generalized in the same way using the methods as presented above. 2.5. Relations with Codes and Orthogonal Arrays 2.5.1. Codes The following construction shows a relation between Δ-resilient functions and linear [n, k, d]-codes, which is a generalization of a result from [32].
Lemma 5. Let G be a generator matrix of an [n, k, d]-code C and let f be a balanced function on Fn2 . Define ' Δu = P ({1, . . . , n} \ sup(u)) ⊎ {A : A ⊂ sup(u)} for u ∈ C. Then f (xGT ) is a ( u∈C Δu )-resilient function.
Proof. Denote F : Fn2 → Fk2 as the function x → xGT . We use the relation, derived in [33,34], between the Walsh coefficients of f ◦ F and the Walsh coefficients of f and lw ◦ F , where lw ◦ F denotes the linear combination of the components of F defined by w: Wf (w)Wlw ◦F (v), ∀v ∈ Fn2 . (7) Wf ◦F (v) = 2−k w∈Fk 2
Note that the function lw ◦ F = w · xGT = wG · x is linear and thus by Corollary 1 lw ◦ F is a Δu -resilient function, where u = wG is a codeword of C. Now (7) concludes the proof.
86
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
' Remark 13. Because {A : |A| ≤ d−1} ⊆ u∈C Δu , Lemma 5, generalizes the property that the function f (xGT ) is at least (d − 1)-resilient as proven in [32].
Lemma 5 can also be immediately translated in the new setting by making use of a generalization of the linear [n, k, d]-code, called the [n, k, Δ] error-set correcting code. is a code of dimension k, length n and for which codewords x An [n, k, Δ]-code C satisfy sup(x) ∈ Γ, where Γ = Δc .
Lemma 6. Let G be the generator matrix of an [n, k, Δ]-code and g(x) = f (xGT ), where f is a balanced algebraic non-degenerate Boolean function on Fk2 with k ≤ n. Then g is at least Δ-resilient. Moreover, if f is resilient in α (Wf (α) = 0), then g is also resilient in sup(αG). Let us show how to construct these [n, k, Δ]-codes. As derived in [4], the generator matrix of the code can be defined by using the matrix M of a Monotone Span Program. Definition 3 ([35]). A Monotone Span Program (MSP) M is defined by the quadruple (F, M, ǫ, ψ), where F is a finite field, M is a matrix (with m rows and d ≤ m columns) over F, ψ : {1, . . . , m} → {1, . . . , n} is a surjective functions and ǫ = (1, 0, . . . , 0) is a fixed non-zero vector, called target vector. The size of M is the number of rows and is denoted as size(M). The properties that matrix M (from the MSP M) possesses are in one-to-one correspondence with a monotone increasing set Γ. In this case it is said that M computes Γ. Definition 4 ([4]). An MSP M is called Δ-non-redundant (denoted by Δ-rMSP) when v = 0 ∈ ker(M T ) ⇐⇒ sup(v) ∈ Δ. It is shown in [4] how the generator matrix of an [n, k, Δ]-code can be deduced from the results in [36]. Theorem 11 ([4]). Let M be a Δ-rMSP computing Γ and let M ⊥ be the matrix of the dual M⊥ MSP computing Γ⊥ . Then a generator matrix G of an [n + 1, k, Δ]-code is given by G = (ǫ | (M ⊥ )T ).
Note that it is not trivial from the previous relation how to immediately construct [n + 1, k, Δ]-codes. Although, we could observe the following relations. It is well known that there is a one-to-one correspondence between ideal LSSS (with dealer P0 and defined on set of players P = {1, . . . , n}) and matroids over the set S = {0, 1, . . . , n} = {P0 } ∪ P. On the one hand, a relation between linear codes (constructed by means of MSPs) and SSS was shown in [4]. On the other hand, the relation between SSS and matroids was found in [37]. Consequently, it follows logically that also matroids and linear codes are related, as explicitly derived in [2]. Definition 5 ([38]). A matroid M = (S, I) is a finite set S and a collection I of subsets of S (called the independent sets) such that ∅ ∈ I, I is monotone decreasing, if U, V ∈ I with |U | = |V | + 1, then there exists x ∈ U \ V such that V ∪ x ∈ I. The maximal independent sets are called the bases. If B = {Bi : i ∈ I} is the set of bases of a matroid M, then the dual matroid M∗ of a matroid M is defined by the set of bases B ∗ = {S \ Bi : i ∈ I}.
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
87
Theorem 12 ([2]). The parity check matrix of an [n + 1, k, Δ]-code is a matroid defined on the set of column indices S = {0, 1, . . . , n} with independent set I = Δ. The generator matrix of an [n + 1, k, Δ]-code is equivalent to a matroid defined on the set S = {0, 1, . . . , n} with an independent set I ∗ = Δ∗ (the dual matroid of (S, I)). Example 5. Consider the [5, 3, Δ]-code with its corresponding dual the [5, 2, Δ∗ ]-code where (Δ∗ )+ = {{2, 3, 5}, {1, 3, 5}, {1, 2, 5}, {2, 4, 5}, {1, 4, 5}, {1, 2, 4}, {1, 3, 4}, {2, 3, 4}}, Δ+ = {{1, 4}, {2, 4}, {3, 4}, {1, 3}, {2, 3}, {3, 5}, {2, 5}, {1, 5}}. The generator matrix G and parity check matrix H of the code are given by: ⎛ ⎞
10110 11100 . G = ⎝0 1 1 1 0⎠ , H = 00111 00011
The linearly independent sets of columns in H correspond to the elements of Δ, while the linearly independent sets of columns in G correspond to the elements of Δ∗ . Then g(x) = f (xGT ) = f (x1 ⊕ x3 ⊕ x4 , x2 ⊕ x3 ⊕ x4 , x4 ⊕ x5 ), where f is an arbitrary balanced Boolean function on F32 , represents a Δ-resilient Boolean function. If f (x1 , x2 , x3 ) = x1 x3 ⊕ x2 , we can say more. Since Wf (α) = 0 for α ∈ V = {(0, 0, 0), (1, 0, 0), (0, 0, 1), (1, 0, 1)}, we compute sup(αG) for all α ∈ V , which belong to V ′ = {{}, {1, 3, 4}, {4, 5}, {1, 3, 5}}. Consequently, following Lemma 6, the function g(x) = f (xGT ) = (x1 ⊕ x3 ⊕ x4 )(x4 ⊕ x5 ) ⊕ x2 ⊕ x3 ⊕ x4 represents a Δ′ -resilient function with Δ′+ = {{1, 3, 4}, {1, 3, 5}, {4, 5}, {2, 4}, {2, 3}}. Clearly Δ′ does not represent the independent sets of a matroid on {1, . . . , 5}, since the cardinality of the elements are not equal. 2.5.2. Orthogonal Arrays Let us consider a generalized definition of orthogonal arrays. Definition 6. An orthogonal (M, n, q, Δ) array is an M × n matrix V with entries from a set of q elements, strength Δ which is a decreasing monotone set and index μ. Any set A ∈ [Δ⊥ ]+ of columns of V contains all q |A| possible row vectors exactly μ = M q −|A| times. If Δ = {A : |A| ≤ k}, then the definition of an (M, n, q, k) orthogonal array is obtained. The relation between linear [n, k, d]-codes and (q k , n, q, d⊥ − 1) orthogonal arrays as mentioned in [25, Theorem 8] can be translated as follows: Theorem 13. Let [C] be the M ×n array consisting of all codewords of an [n, k, Δ]-code. Then the array [C] will define a (q k , n, q, Δ(C⊥ )) orthogonal array. Consequently, by Theorem 12, Δ represents the independent sets of a matroid which means that the definition of a generalized orthogonal array only depends on the rank of the corresponding matroid.
88
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
Orthogonal arrays have important applications in statistics, more precisely in fractional factorial experiments [39]. The rows of the array represents the experiments or tests to be performed and the columns correspond to different variables. By basing the experiment on an orthogonal array, one ensures that all possible combinations of variables determined by Δ⊥ occur equally often. Consequently, this type of generalized orthogonal array is certainly interesting since in general we do not want to investigate all possible combinations but only sets of combinations. Orthogonal arrays are also equivalent to affine structures, transversal designs, cartesian authentication codes, and local perfect randomizers. Consequently, equivalence can also be expressed between their generalized forms. As shown in [26], the extended truth table of a k-CI function f on Fn2 forms an (M, n, 2, k) orthogonal array, where the extended truth table is defined as the wt(f ) × n table with rows determined by the elements x for which f (x) = 1. A natural generalization in the new metric is given in the next theorem. Theorem 14. A Boolean function f on Fn2 is Δ-CI if its extended truth table is an (M, n, 2, Δ) orthogonal array. 2.6. Example of Modified Combination Generator We give some concrete examples of the modified combination generator as explained in the introduction. 1. Suppose the generator consists of 5 LFSRs of lengths 61, 63, 21, 31, and 33 respectively. Let the security parameter for the (fast) correlation attack be equal to 60. Consequently in order to be secure against the (fast) correlation attack, we need a combination function which is resilient with respect to the 3rd , 4th , 5th and also the 3rd + 4th , 3rd + 5th LFSR, i.e., a Δ resilient function with Δ = {{3, 4}, {3, 5}}. The function f (x1 , . . . , x5 ) = x2 x3 x4 x5 ⊕ x1 x2 x3 ⊕ x1 x4 ⊕ x3 x5 ⊕ x1 ⊕ x2 satisfies this property. Remark that this function has degree 4 and nonlinearity 10. High degree and high nonlinearity are important properties for resisting other attacks like for instance Berlekamp–Massey attack [10] and best affine approximation attack [40]. 2. The function f (x1 , . . . , x5 ) = x1 x2 x3 ⊕ x1 x4 ⊕ x2 x5 ⊕ x3 is a Δ-resilient function with Δ = {{1, 2}, {1, 4}, {1, 5}, {2, 4}, {2, 5}, {4, 5}}. Moreover, the function has degree 3 and maximum nonlinearity 12. The LFSRs of the corresponding modified combination generator with security parameter 60 should have for instance lengths 21, 23, 61, 25, and 27 respectively. When we consider the same models of combination generators in the classical theory, the combination function should be in both cases 2-resilient in order to resist (fast) correlation attacks. Following Siegenthaler’s inequality, the corresponding function has degree less than or equal to 2. Note that now using Δ-resilient functions the choice of the lengths of the LFSRs may not be uniform, which is the case when we use t-resilient functions. Non uniform LFSRs can play an important role for obtaining a compact hardware design. This also allows to relax the requirements to the rest of the parameters like nonlinearity, algebraic degree, etc. Moreover, by Carlet–Sarkar’s result on the divisibility of the Walsh coefficients, the maximum Walsh value is greater or equal than 16, resulting in a nonlinearity less than or equal to 8.
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
89
These examples are just illustrative and need to be scaled up in order to be used in reality. However, it already shows the advantages of considering resiliency with respect to specified monotone sets since the strong trade-offs between resiliency and degree, resiliency and nonlinearity can be avoided.
3. Functions Satisfying Propagation Characteristics with Respect to Δ-Sets Analogously to the definitions of Δ-resilient and Δ-correlation immune (CI) function, we define functions which satisfy the propagation characteristic of degree Δ1 and of order Δ2 (PC(Δ1 ) of order Δ2 ), the propagation characteristic of degree Δ1 (PC(Δ1 )), and the strict avalanche criteria of order Δ2 (SAC(Δ2 )), where Δ, Δ1 , Δ2 are monotone decreasing sets. Definition 7. For two monotone decreasing sets Δ1 and Δ2 the function f satisfies PC(Δ1 ) of order Δ2 iff for every w, such that sup(w) ∈ Δ1 \ {∅} the function f (x) ⊕ f (x ⊕ w) is Δ2 -CI. If Δ2 = ∅, the function f is said to be PC(Δ1 ). If Δ1 = {A : |A| = 1}, the function f satisfies SAC(Δ2 ). Again if Δ1 = {A : |A| ≤ ℓ} and Δ2 = {B : |B| ≤ k} the definitions of PC(Δ1 ) function of order Δ2 and PC(ℓ) function of order k, PC(Δ1 ) function and PC(ℓ) function; SAC(Δ2 ) function and SAC(k) function coincide. The property balancedness of f (x) ⊕ f (x ⊕ w) implies for the autocorrelation rf (w) = 0. 3.1. A Relation with Δ-Resilient Functions We generalize the well-known relation p + t ≤ n − 1 between the order of resiliency t and the degree of propagation p of a Boolean function on Fn2 as proven in [41,42]. Theorem 15. For a Δ1 -resilient function on Fn2 which satisfies PC of degree Δ2 holds ⊥ that Δ2 ∩ Γ⊥ 1 = ∅ and Δ1 ∩ Γ2 = ∅. Proof. The Wiener–Khintchine theorem establishes a relation between the squared Walsh and autocorrelation coefficients of a function in Fn2 [43]: rf (u) = 2−n
Wf (x)2 (−1)x·u .
x∈Fn 2
Based on it, the following relation, with respect to any linear subspace V , was derived in [44]:
u∈V
rf (u) =
1 Wf (x)2 . |V ⊥ | ⊥
(8)
x∈V
Let A be an arbitrary element of Δ2 \ {0}. Note that the coefficient rf (0) is equal to 2n . Now applying the definition of PC of degree Δ2 we obtain
u∈UA
rf (u) = rf (0) = 2n =
1 Wf (x)2 . |UA⊥ | ⊥ x∈UA
90
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
Thus |UA⊥ | 2n =
Wf (x)2 =
Wf (x)2 .
x∈UAc
⊥ x∈UA
As a consequence Ac ∈ / Δ1 or also A ∈ / Γ⊥ 1 because otherwise the right side of the equation above would be zero. This holds for all A ∈ Δ2 and thus Δ2 ∩Γ⊥ 1 = ∅, which is ⊥ ⊆ Γ , equivalent to Δ1 ⊆ Δ⊥ . This in turn is equivalent to Γ equivalent to Δ2 ⊆ Δ⊥ 1 2 2 1 and finally equivalent to Δ1 ∩ Γ⊥ = ∅. 2 3.2. Linear Structures Next we derive a condition for the existence of linear structures for a Δ1 -resilient function which satisfies PC(Δ2 ). A linear structure of a function is an element a ∈ Fn2 for which f (x) ⊕ f (x ⊕ a) is a constant. Linear structures should be avoided, for example, in order to resist differential attacks [45]. Theorem 16. Let f be a Δ1 -resilient function on Fn2 that satisfies PC(Δ2 ). If there − ⊥ + exists a non-empty element A ∈ Δ+ 2 ∩ [Δ1 ] , then all b with sup(b) = B, B ∈ Γ2 and A ⊂ B are linear structures of f . ⊥ + Proof. Let A ∈ Δ+ 2 ∩ [Δ1 ] . From (8) for V = UA and the assumption, we deduce that 2 n ⊥ there exists x, such that sup(x) = Ac ∈ Γ− 1 and Wf (x) = 2 |UA | since Wf (y) = 0 ⊥ for all y ∈ UA , y = x (sup(y) ∈ Δ1 ). Next we apply (8) for V = UB , where B ∈ Γ− 2 and A ⊂ B:
rf (0) + rf (b) =
2 Wf (x)2 . |UA⊥ | ⊥ x∈UB
Because UB⊥ ⊆ UA⊥ , there are two possibilities:
1) sup(x) ⊆ UB⊥ , which leads to rf (b) = 2n ; 2) sup(x) UB⊥ , which leads to rf (b) = −2n .
The fact that |rf (b)| = 2n implies that b is linear structure of f . The following theorem gives a condition on the existence of linear structures for functions which satisfy PC(Δ). The proof is similar to the one of Theorem 16. Theorem 17. Let f be a Boolean function on Fn2 that satisfies PC(Δ). If there exists an element x ∈ Fn2 \ {0} such that sup(x) ∈ A⊥ for A ∈ Δ+ which satisfies Wf (x) = 2n−|UA |/2 , then all b with sup(b) = B and B ∈ Γ− , A ⊆ B are linear structures of f . 3.3. Algebraic Degree First note that the functions satisfying PC(P(P )) are the perfect nonlinear functions (bent functions of characteristic two). From the definition of resiliency, we deduce that for a Boolean function on Fn2 which satisfies PC(Δ1 ) of order Δ2 , the functions f (x) ⊕ f (x ⊕ w) are Δ2 -resilient for all w ∈ Δ1 \ {0}. By Theorem 1, the functions f (x) ⊕
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
91
f (x ⊕ w) are balanced for all w ∈ Δ1 \ {0} on any of the subspaces a + UA , where A ∈ Δ⊥ 2. The following theorem generalizes the bound on the degree d of a function on Fn2 satisfying the SAC(k) property [43], namely d ≤ n − k − 1. Theorem 18. If f satisfies SAC of order Δ then all coefficients au from the ANF of f with sup(u) ∈ Γ⊥ are equal to zero. Moreover, for all sets A ∈ Γ⊥ we have |A| > 1. Proof. Assume that au = 1 for u such that sup(u) ∈ Γ⊥ or equivalently sup(u) ∈ Δ. The function fu will have maximum degree wt(u) which contradicts the PC(1) property. Note that a function of maximum degree has a non-zero autocorrelation spectrum [43]. The condition |A| > 1 for all A ∈ Γ⊥ comes from the fact that a linear function does not satisfy PC(1). Corollary 2. For functions satisfying PC(Δ1 ) of order Δ2 , where |A| > 1 for all A ∈ ⊥ Γ⊥ 2 , the ANF coefficients au of f with sup(u) ∈ Γ2 are equal to zero. 3.4. Constructions The set of functions which satisfy PC(Δ1 ) of order Δ2 are globally invariant under the complementation of any of its coordinates, composition with any permutation on {1, . . . , n} which keeps Δ1 , Δ2 invariant, and the addition of any affine function. We first generalize the change of basis construction. Theorem 19. Let Δ be a set containing less than n elements. Then any Boolean function f on Fn2 which has at least n linearly independent vectors w such that rf (w) = 0 can be transformed into a function that satisfies the PC criterion of degree Δ. The best known and general construction for PC(ℓ) functions of order k is due to Kurosawa and Satoh [46]. This construction uses linear codes. It was later generalized by Carlet [47] who also takes nonlinear codes into account. We present these constructions and show how to derive generalized properties of the obtained functions. Theorem 20. Let g be an arbitrary function on Fs2 and Q be an s × t-matrix. Define Δ1 on {1, . . . , t} and Δ2 on {t+1, . . . , t+s}. Let G1 be the generator matrix of a [t, h, Δ1 ]code and let G2 be the generator matrix of a [s, h, Δ2 ]-code. Define the function f on as follows: Fs+t 2 f (x1 , . . . , xs , y1 , . . . , yt ) = [x1 , . . . , xs ]Q[y1 , . . . , yt ]T ⊕ g(x1 , . . . , xs ). ⊥ Set Q = GT2 G1 then the function f satisfies PC(Δℓ ) of order Δk , where Δℓ = Δ⊥ 1 ⊎Δ2 and Δk = Δ1 ⊎ Δ2 .
Proof. Analogous to the proof in [46] it is easy to see that if the matrix Q satisfies the following two conditions then f satisfies PC(Δℓ ) of order Δk : • sup(Qa) ∈ / Δk for any a ∈ Ft2 , a = 0 and sup(a) ∈ Δℓ ; • sup(bQ) ∈ / Δk for any b ∈ Fs2 , b = 0 and sup(b) ∈ Δℓ .
92
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
Next we verify that Q = GT2 G1 satisfies both conditions. Indeed by Definition 4 G1 a = (M1⊥ )T a = 0 if sup(a) ∈ Δ⊥ 1 and thus by Theorem 11 sup(Qa) = / Δ1 . Analogous bGT2 = bM2⊥ = 0 if sup(b) ∈ Δ⊥ sup(GT2 (G1 a)) ∈ 2 and thus / Δ2 . These checks conclude the proof. sup(bQ) = sup((bGT2 )G1 ) ∈ Remark 14. Let Δk = {A : |A| ≤ k} and Δℓ = {B : |B| ≤ ℓ}, then Δ⊥ ℓ = {B : |B| ≤ n − 1 − ℓ}. So, it is easy to verify that Δk ⊆ Δ⊥ ℓ (in this case) corresponds to k + ℓ ≤ n − 1. Constructions of functions satisfying propagation characteristics that are not based on codes have been proposed by Gouget [48]. We now give two examples of them. defined by Theorem 21. Let f be a Boolean function on F2n+1 2 f : Fn2 × Fn2 × F2 → F2 : (x, y, z) → z(g(x) ⊕ y1 ⊕ · · · ⊕ yn ) ⊕ x · y, where g is an arbitrary function on Fn2 . If g(1) = 1, then f is balanced. The function f satisfies the properties: 1. PC(Δ) with Δ = {{1, . . . , 2n}, A1 , . . . , An }, where Ai = {1, . . . , 2n+1}\{i}. 2. PC(Δ1 ) of order Δ2 with the property that Δ1 ⊎ Δ2 = Δ. Proof. We refer to [48] for the proof of the balancedness of f . In order to proof the first part of the theorem, we compute the derivative of f with respect to (a, b, c) ∈ Fn2 × Fn2 × F2 : Da,b,c f (x, y, z) = z(g(x) ⊕ g(x ⊕ a)) ⊕ c(g(x ⊕ a) ⊕ y1 ⊕ · · · ⊕ yn ⊕ b1 ⊕ · · · ⊕ bn ) ⊕ z(b1 ⊕ · · · ⊕ bn ) ⊕ a · y ⊕ b · x ⊕ a · b. It is easy to check that if sup(a, b, c) ⊆ Δ, the derivative Da,b,c f (x, y, z) becomes a linear function in the y-variables. This also means that Da,b,c f (x, y, z) is a balanced function. For the second part of the proof, let A ∈ Δ1 and B ∈ Δ2 such that A ∪ B ∈ Δ. Then the derivative with respect to B of the function obtained by fixing the variables corresponding to A is again a function which will linearly depend on y. The next construction from [48] is a generalization of the construction of Honda et al. and can reach a high degree [49]. Theorem 22. Let f be a Boolean function on Fn2 defined by f : Fs2 × F2n−s−1 × F2 → F2 : (x, y, z) → f1 (x) ⊕ f2 (y) ⊕ f3 (z) ⊕ x · φ(y) ⊕ z(x1 ⊕ · · · ⊕ xn ), where f1 , f2 , f3 are functions on Fs2 , F2n−s−1 and F2 respectively. The function φ is a mapping from F2n−s−1 into Fs2 . Then f satisfies the propagation criterion of order Δ = {{∅, {1}, {2}, . . . , {s}} ⊎ Δ2 ⊎ {∅, {n}}} ∪ {Δ1 ⊎ {∅, {n}}}, where Δ1 and Δ2 are defined on {1, . . . , s} and {s + 1, . . . , n − 1} respectively, if and only if φ satisfies the properties:
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
93
1) the function x · φ(y) is balanced if and only if sup(x) ∈ Δ1 ; 2) the function φ(y)⊕φ(y ⊕x) is different from the all-zero and the all-one function for all x such that sup(x) ∈ Δ2 . Proof. Let compute the derivative of f with respect to the triple (a, b, c) ∈ Fs2 ×F2n−s−1 × F2 : D(a,b,c) f (x, y, z) = Da f1 (x) ⊕ Db f2 (y) ⊕ Dc f3 (z) ⊕ x · (φ(y) ⊕ φ(y ⊕ b)) ⊕ a · φ(y ⊕ b) ⊕ z(a1 ⊕ · · · ⊕ as ) ⊕ c(x1 ⊕ · · · ⊕ xs ⊕ a1 ⊕ · · · ⊕ as ). Note first that when wt(a) = 1 the derivative is a linear function in z, hence {{1}, {2}, . . . , {s}} ⊎ P ({s + 1, . . . , n − 1}) ⊎ {∅, {n}} ∈ Δ. On the other hand, when wt(a) = 0 and sup(b) ∈ Δ2 the second condition ensures that the derivative is balanced independently of wt(c). Thus Δ2 ⊎ {∅, {n}} ∈ Δ2 . Therefore combining both observations (and taking into account the monotone decreasing property) we derive that {{∅, {1}, {2}, . . . , {s}} ⊎ Δ2 ⊎ {∅, {n}}} ∈ Δ. Last notice that when wt(b) = 0 and sup(a) ∈ Δ1 the first condition ensures that the derivative is balanced. So, we have also that Δ1 ⊎ {∅, {n}} ∈ Δ which completes the proof. 4. Conclusions and Open Problems In this paper we have shown that many classical notions, constructions and results from the theory of cryptographic properties of Boolean functions can be extended to a more general setting: t-resiliency and PC properties can be represented as Δ-resiliency or PC properties with respect to Δ, where Δ = {A : |A| ≤ t}. Instead of working with numbers, we work with sets, which give us more flexibility in satisfying incompatible requirements as shown in Sect. 2.6. We have also defined analogous notions for the algebraic and the numerical degree of a Boolean function. Then we have proven equivalent results to most of the known inequalities in this new setting. It is much easier to adjust the parameters of a function, when one works with sets compared to numbers. When a trade-off needs to be achieved between parameters of a function, we can easily reduce a set (e.g., Δ) with some of its elements in order to satisfy the condition, comparing to the previous case where we need to reduce the number (e.g., t to t − 1 for example) discarding all sets of a fixed cardinality (e.g., with cardinality t). This approach gives more insight and better understanding in the behaviour of a Boolean function. More precisely, it allows us to determine which structural properties contributes to different known results like for instance the Siegenthaler’s inequality. Future work will investigate if these insights lead to new constructions of t-resilient functions (functions satisfying PC properties) by going over special monotone set resilient function (PC functions). We leave as an open question whether such functions exist for any Δ. In the theory of Secret Sharing Schemes (SSS), a scheme (or equivalently a monotone increasing set) is called ideal if each player has a share of minimal size. But it is known that for “many” monotone sets there is no ideal scheme, i.e., there is no finite field in which the SSS is ideal. This also corresponds to the question of representability of a matroid. For Boolean
94
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
functions we consider only this ideal case, since every coordinate (input) in the function is considered as a player’s share. Thus in the binary field there are monotone sets Γ for which there does not exist a corresponding MSP (equivalently matroid or SSS). It seems likely that there exist sets Δ for which there does not exist a corresponding Δ-resilient function. Another interesting problem is to generalize and study the notions of resiliency and PC for vectorial Boolean functions. For these functions, the definitions have more freedom since sets of input and output can be considered. Zigzag functions [50], used in the context of oblivious transfer, are a particular example of such Δ-resilient vectorial functions. Properties from access structures can be used to derive the properties of these functions as shown in [51].
References [1] A. Braeken, V. Nikov, S. Nikova, and B. Preneel, On Boolean Functions with Generalized Cryptographic Properties, Proc. of Indocrypt 2004, LNCS 3348 (2004), Springer-Verlag, 119–134. [2] A. Braeken, V. Nikov, and S. Nikova, Error-Set Codes and Related Objects, Proc. of COCOON 2005, LNCS 3595 (2005), Springer-Verlag, 577–585. [3] S. Fehr and U. Maurer, Linear VSS and Distributed Commitments Based on Secret Sharing and Pairwise Checks, Proc. of Crypto 2002, LNCS 2442 (2002), Springer-Verlag, 565–580. [4] V. Nikov and S. Nikova, On a Relation Between Verifiable Secret Sharing Schemes and a Class of ErrorCorrecting Schemes, Proc. of WCC 05, Springer-Verlag, 2005. Full version: Cryptology ePrint Archive, Report 2003/210, http://eprint.iacr.org/. [5] T. Siegenthaler, Correlation-Immunity of Nonlinear Combining Functions for Cryptographic Applications, IEEE Trans. Information Theory (1984), 776–780. [6] T. Siegenthaler, Decrypting a Class of Stream Ciphers Using Ciphertext Only, IEEE Trans. Computers (1985), 81–85. [7] W. Meier and O. Staffelbach, Fast Correlation Attacks on Certain Stream Ciphers, J. of Cryptology (1992), 67–86. [8] T. Johansson and F. Jönsson, Fast Correlation Attacks Based on Turbo Code Techniques, Proc. of Crypto 1999, LNCS 1666 (1999), Springer-Verlag, 181–197. [9] R.A. Rueppel and O.J. Staffelbach, Products of Linear Recurring Sequences with Maximum Complexity, IEEE Trans. Information Theory 33(1) (1987), 124–131. [10] J.L. Massey, Shift-Register Synthesis and BCH Decoding, IEEE Trans. Information Theory (1969), 122–127. [11] N. Courtois and W. Meier, Algebraic Attacks on Stream Ciphers with Linear Feedback, Proc. of Eurocrypt 2003, LNCS 2656 (2003), Springer-Verlag, 345–359. [12] A. Canteaut, C. Carlet, P. Charpin, and C. Fontaine, Propagation Characteristics and CorrelationImmunity of Highly Nonlinear Boolean Functions, Proc. of Eurocrypt 2000, LNCS 1807 (2000), Springer-Verlag, 507–522. [13] K. Kurosawa, T. Johansson, and D.R. Stinson, Almost k-wise Independent Sample Spaces and Their Cryptologic Applications, J. of Cryptology 14(4) (2001), 231–253. [14] K. Kurosawa, Almost Security of Cryptographic Boolean Functions, Cryptology ePrint Archive, Report 2003/075, http://eprint.iacr.org/. [15] Y. Dodis, A. Sahai, and A. Smith, On Perfect and Adaptive Security in Exposure Resilient Functions, Proc. of Eurocrypt 2001, LNCS 2045 (2001), Springer-Verlag, 301–324. [16] A. Gouget and H. Sibert, Revisiting correlation-immunity in filter generators, Proc. of 14th International Workshop on Selected Areas in Cryptography (SAC 2007), Ottawa, Canada, LNCS (2007), SpringerVerlag. [17] C. Carlet and E. Prouff, On Plateaued Functions and Their Constructions, Proc. of Fast Software Encryption 2003, LNCS 2887 (2003), Springer-Verlag, 57–78. [18] Y. Zheng and X.M. Zhang, Plateaued Functions, Proc. of International Conference on Information and Communications Security, LNCS 1726 (1999), Springer-Verlag, 284–300.
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
95
[19] D. Jungnickel, Finite Fields. Structure and Arithmetics, BI, Wissenschaftverslag, 1992. [20] G.Z. Xiao and J.L. Massey, A spectral Characterization of Correlation-Immune Combining Functions, IEEE Trans. Information Theory 34 (1988) 569–571. [21] Y. Zheng, X.M. Zhang, and H. Imai, Connections Between Nonlinearity and Restrictions, Terms and Hypergraphs of Boolean Functions, Proc. of IEEE International Symposium on Information Theory 1998, IEEE Press, 439 (1998). [22] C. Carlet and P. Guillot, Bent, Resilient Functions and the Numerical Normal Form, Discrete Mathematics and Theoretical Computer Science (2001), 87–96. [23] P. Sarkar and S. Maitra, New directions in Design of Resilient Boolean Functions, Cryptology ePrint Archive, Report 2000/009, http://eprint.iacr.org/. [24] C. Carlet and P. Sarkar, Spectral Domain Analysis of Correlation Immune and Resilient Boolean Functions, Finite fields and Applications 8 (2002) 120–130. [25] F.J. MacWilliams and N.J.A. Sloane, The Theory of Error-Correcting Codes, North Holland, Amsterdam, 1977. [26] P. Camion, C. Carlet, P. Charpin, and N. Sendrier, On Correlation Immune Functions, Proc. of Crypto 1991, LNCS 576 (1992), Springer-Verlag, 86–100. [27] Y. Zheng and X.M. Zhang, Cryptographically Resilient Functions, IEEE Trans. Information Theory 43(5) (1997), 1740–1747. [28] C. Carlet, More Correlation-Immune and Resilient Functions over Galois Fields and Galois Rings, Proc. of Eurocrypt 1997, LNCS 1233 (1997), Springer-Verlag, 422–433. [29] J. Dillon, Elementary Hadamard Difference Sets, Ph.D. Thesis, University of Maryland, 1974. [30] Y. Tarannikov, On Resilient Boolean Functions with Maximal Possible Nonlinearity, Proc. of Indocrypt 2000, LNCS 2247 (2001), Springer-Verlag, 19–30. [31] Y. Tarannikov, New Constructions of Resilient Boolean Functions with Maximal Nonlinearity, Proc. of Fast Software Encryption, LNCS 2355 (2001), Springer-Verlag, 66–77. [32] C.-K. Wu and E. Dawson, Construction of Cryptographic Correlation-Immune Boolean Functions, Proc. of Information and Communications Security 1997, LNCS 1334 (1997) Springer-Verlag, 170–180. [33] J. Daemen, R. Govaerts, J. Vandewalle, Correlation Matrices, Proc. of Fast Software Encryption 1994, LNCS 1008 (1995), Springer-Verlag, 275–285. [34] K. Gupta and P. Sarkar, Improved Construction of Nonlinear Resilient S-Boxes, Proc. of Asiacrypt 2002, LNCS 2501 (2002), Springer-Verlag, 466–483. [35] M. Karchmer and A. Wigderson, On Span Programs, Proc. of 8th Annual Structure in Complexity Theory Conference (1993), 102–111. [36] M. Van Dijk, Secret Key Sharing and Secret Key Generation, Ph.D. Thesis, 1997, TU Eindhoven. [37] E. Brickell and D. Davenport, On the classification of ideal secret sharing schemes, J. of Cryptology 4 (1991), 123–134. [38] D. Welsh, Matroid Theory, Academic Press, London, 1976. [39] A.S. Hedayat, N.J.A. Sloane, and J. Stufken, Orthogonal Arrays: Theory and Applications, SpringerVerlag, New York, 1999. [40] C. Ding, G. Xiao, and W. Shan, Stability Theory of Stream Ciphers, Springer, 1991. [41] Y. Zheng and X.M. Zhang, On Relationship Among Avalanche, Nonlinearity, and Propagation Criteria, Proc. of Asiacrypt 2000, LNCS 1976 (2000), Springer-Verlag, 470–483. [42] P. Charpin and E. Pasalic, On Propagation Characteristics of Resilient Functions, Proc. of Selected Areas in Cryptography 2002, LNCS 2595 (2002), Springer-Verlag, 356–365. [43] B. Preneel, W. Van Leekwijck, L. Van Linden, R. Govaerts, and J. Vandewalle, Propagation Characteristics of Boolean Functions, Proc. of Eurocrypt 1990, LNCS 473 (1991), Springer-Verlag, 161–173. [44] A. Canteaut, C. Carlet, P. Charpin, and C. Fontaine, On Cryptographic Properties of the Cosets of RM(1, m), IEEE Trans. Information Theory 47(4) (2001), 1494–1513. [45] E. Biham, Differential Cryptanalysis of the Full 16-Round DES, Proc. of Crypto 1992, LNCS 740 (1993), Springer-Verlag, 487–496. [46] K. Kurosawa and T. Satoh, Design of SAC / PC(ℓ) of order k Boolean Functions and Three Other Cryptographic Criteria, Proc. of Eurocrypt 1997, LNCS 1233 (1997), Springer-Verlag, 434–449. [47] C. Carlet, On Cryptographic Propagation Criteria for Boolean Functions, Information and Computation 151(1–2) (1999), 32–56. [48] A. Gouget, Etude des propriétés cryptographiques des fonctions booléennes et algorithme de confusion pour le chiffrement symétrique, Ph.D. Thesis, Université de Caen, 2004.
96
A. Braeken et al. / On Boolean Functions with Generalized Cryptographic Properties
[49] T. Honda, T. Satoh, T. Iwata, and K. Kurosawa, Probabilistic higher order differential attack and higher order bent functions, Proc. of SAC 1997, LNCS 1556 (1997), Springer-Verlag, 64–72. [50] G. Brassard, D. Crépeau, and M. Sántha, Oblivious Transfers and Intersecting Codes, IEEE Transaction on Information Theory, special issue in coding and complexity 42(6) (1996), 1769–1780. [51] A. Braeken, V. Nikov, and S. Nikova, Zigzag Functions and Related Objects in New Metric, Proc. of the 8th Nordic Combinatorial Conference, 45–58, 2004. [52] C. Carlet, On the Coset Weight Divisibility and Nonlinearity of Resilient Functions, Sequences and their Applications 2001, Discrete Mathematics and Theoretical Computer Science, 131–144, 2001. [53] C. Carlet, Partially-Bent Functions, Designs, Codes and Cryptography 3(2) (1993), 135–145. [54] S. Chee, S. Lee, D. Lee, and S.H. Sung, On the Correlation Immune Functions and Their Nonlinearity, Proc. of Asiacrypt 1996, LNCS 1163 (1996), Springer-Verlag, 232–243. [55] J. Daemen, Cipher and Hash Function Design, Ph.D. Thesis, Katholieke Universiteit Leuven, 1995. [56] P. Langevin, On the Covering Radius of RM(1, 9) in RM(3, 9), Proc. of Eurocode 1990, Coding Theory and Applications, LNCS 514 (1991), Springer-Verlag, 51–59. [57] K. Martin, Discrete Structures in the Theory of Secret Sharing, Ph.D. Thesis, Royal Holloway and Bedford New College, 1993. [58] J. Seberry, X.-M. Zhang, and Y. Zheng, Relationship Between Propagation Characteristics and Nonlinearity of Cryptographic Functions, Journal of Universal Computer Science 1(2) (1995), 136–150. [59] D. Stinson, Combinatorial Designs and Cryptography, Surveys in combinatorics, Cambridge University Press, New York, NY, 1993. [60] Y. Zheng and X.M. Zhang, Strong Linear Dependence of Unbiased Distribution on Non-Propagative Vectors, Proc. of Selected Areas in Cryptography 1999, LNCS 1758 (1999), Springer-Verlag, 92–105.
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-97
97
Conjectures on the Number of Balanced Boolean Functions of Bounded Degree Thomas W. CUSICK 1 State University of New York at Buffalo, NY, USA Abstract. We state several conjectures which provide good upper and lower bounds for the number of balanced Boolean functions in n variables with degree less than or equal to k. We give proofs for several special cases and give some reasons why we think that the conjectures are true. We believe that the conjectures will be very useful for further research. Keywords. Boolean function, balanced function, Reed–Muller code
Introduction This paper contains five conjectures on Boolean functions in n variables with degree bounded by k, plus proofs of some special cases. We shall use the following notations throughout: The binomial coefficient ab is denoted by C(a, b). The number of elements in a set S is denoted by #S. The function f is always a Boolean function in n variables. The weight of a function f is the usual Hamming weight, which we denote by wt(f ). A function f in n variables is balanced if wt(f ) = 2n−1 . We define B(k, n) = number of balanced functions of degree ≤ k in n variables; P (k, n) = 21+C(n,1)+C(n,2)+···+C(n,k) = number of functions of degree ≤ k in n variables. We let R(k, n) denote the Reed–Muller code of degree k and length 2n , so the codewords of R(k, n) are exactly the truth tables of all of the Boolean functions of degree ≤ k in n variables and #R(k, n) = P (k, n) (in other words, the dimension of the code R(k, n) k is j=0 C(n, j)). We let # Bal(S) denote the number of balanced functions in the set S of Boolean functions. Now we can state the five conjectures. The first one concerns the quotient group R(k + 1, n)/R(k, n) for k > 0. 1 State University of New York at Buffalo, Department of Mathematics, Buffalo, NY 14260, USA; E-mail: [email protected].
98
T.W. Cusick / Conjectures on the Number of Balanced Boolean Functions of Bounded Degree
Conjecture 1. Given k > 0, for each function f with degree k + 1 we have # Bal(f + R(k, n)) < B(k, n), that is, the coset R(k, n) in R(k + 1, n)/R(k, n) contains more balanced functions than any other coset. Conjecture 2. For each k, 1 ≤ k ≤ n − 1, we have 2C(n,k+1) B(k, n) > B(k + 1, n). Conjecture 3. For each k, 1 ≤ k ≤ n − 1, we have B(k, n) B(k + 1, n) < . P (k + 1, n) P (k, n) Conjecture 4. For each k, 3 ≤ k ≤ n − 1, we have 2[(n−1)/k]
B(k, n) B(k + 1, n) ≤ 2[(n−1)/(k+1)] . P (k + 1, n) P (k, n)
Note: Conjecture 4 strengthens Conjecture 3 when k divides n − 1, and holds with equality when k = n − 1. Conjecture 5. For each k, c, we have 2[(n−1)/k]
B(k, n) B(k, n + 1) < 2[n/k] . P (k, n + 1) P (k, n)
If n > 10, we can strengthen this slightly: 2[(n−1)/k]
B(k, n + 1) B(k, n) ≤ 2([n/k]−1/2) . P (k, n + 1) P (k, n)
Note that it is not true that B(k, n)/P (k, n) decreases as n increases, though Conjecture 5 implies this is true except perhaps when k divides n. For example, computation gives B(3, 7)/P (3, 7) = 0.29 . . . > B(3, 6)/P (3, 6) = 0.20 . . . . These five conjectures were first stated in my paper with my student Younhwan Cheon [1].
1. Discussion of the Conjectures It is easy to see that Conjectures 2 and 3 follow from Conjecture 1, and that Conjectures 2 and 3 are logically equivalent. The conjectures are motivated by the well known theorem of McEliece [2,3] (see also the discussion in the book of MacWilliams and Sloane [4, p. 447]). McEliece’s Theorem. The weight of any Boolean function of degree ≤ k in n variables is divisible by 2[(n−1)/k] .
T.W. Cusick / Conjectures on the Number of Balanced Boolean Functions of Bounded Degree
99
The conjectures can be thought of as attempts to make more precise the role played by the powers of 2 in the weights of the codewords of R(k, n). In particular, we believe that McEliece’s Theorem reflects some properties of R(k, n) which distinguish these codes from random ones. We next explain these (conjectural) properties. Suppose C is a code of length N and dimension K, and let Ai denote the number of codewords of weight i for 0 ≤ i ≤ N . Define ai = Ai /2K . Now it is not hard to show (see [4, p. 287, Problem (8)]) that ai is well approximated by the binomial distribution, that is, ai ≈ 2−N C(N, i) for 0 ≤ i ≤ N.
(1)
A classic paper of Sidel’nikov [5] shows that this is in fact true for any code C whose dual code has a large minimum distance (see the discussion in [4, p. 282–288]). If the code R(k, n) (length 2n , dimension 1 + C(n, 1) + C(n, 2) + · · · + C(n, k)) behaved in accordance with Eq. (1), then we would have B(k, n) ≈
C(2n , 2n−1 )P (k, n) . 22n
(2)
Eq. (2) would imply that B(k, n)/P (k, n) is independent of k, but we believe (Conjectures 3 and 4) that B(k, n)/P (k, n) decreases as k increases, especially when k divides n − 1 (Conjecture 4). In fact Conjecture 4 implies B(k, n) ≥
2[(n−1)/k] C(2n , 2n−1 )P (k, n) , 22n
3≤k ≤n−1
(3)
instead of Eq. (2) (the easy proof is given in [1, p. 104, Th. 3.3]). The extra factor of 2[(n−1)/k] in (3) leads to the decrease in B(k, n)/P (k, n) as k increases. We think McEliece’s theorem is responsible for this, because it requires that the weights in the codes R(k, n) cannot be too close together, that is, they must “clump”. Thus the clumping of weights in R(k, n) changes the behavior of these codes as compared with random ones. We believe that the lower bound in Eq. (3) is very sharp in many cases. Computation shows that the lower bound agrees with the exact value to 34 significant figures for B(5, 9) ≈ 6.9 × 10113 ; the exact value of B(5, 9) is given in [6]. Note that we have exact formulas for B(k, n) when k = 1, 2, n − 1 or n, and the inequality in Eq. (3) actually holds as an equality when k = n − 1. From Conjectures 4 and 5 we can prove (the details are in [1, p. 105, Th. 4.2]) the following upper bound for B(k, n): B(k, n)
0 is a constant.
100
T.W. Cusick / Conjectures on the Number of Balanced Boolean Functions of Bounded Degree
2. Special Cases of Conjecture 1 The case k = n − 1 of Conjecture 1 is very simple, because there are only two cosets in R(n, n)/R(n−1, n), and the coset R(n−1, n) has all of the balanced functions because of the well known fact that wt(f ) is odd for any function f in n variables with degree n. Another simple proof of this is given in [1, p. 103, Th. 2.5]. The case k = 1 of Conjecture 1 follows from the known weight distribution of R(2, n), as we see in the proof of the following theorem. Theorem 1. The case k = 1 of Conjecture 1 is true. In fact, each of the 2C(n,2) cosets of R(2, n)/R(1, n) has one of the following weight distributions for some integer r: Weight Number of functions 2n−1 − 2n−r−1 22r 2n−1 2n+1 − 22r+1 n−1 n−r−1 2r 2 +2 2 Coset R(1, n) has the distribution for r = 0, and all other cosets have the distribution for some r satisfying 1 ≤ r ≤ [n/2]. Proof. The assertion in the theorem about coset R(1, n) is clear, since any nonconstant linear function is balanced. The other assertions in the theorem follow from the known weight distribution of R(2, n), which is explained in [4, p. 433–443]. It follows from the discussion there that any coset other than R(1, n) has a positive rank r, 1 ≤ r ≤ [n/2], such that the weight distribution is determined by r and in fact is given by the table in Theorem 1 (see [4, p. 44, Th. 5]). This proves Theorem 1. More is known about the cosets of R(2, n)/R(1, n). Hou [7, p. 101] proved that R(2, n)/R(1, n) has [n/2] + 1 orbits (that is, sets of cosets with the same weight distribution), and orbit representatives are R(1, n) and gi + R(1, n), where gi = x1 x2 + x3 x4 + · · · + x2i−1 x2i ,
1 ≤ i ≤ [n/2].
The dual code of R(k, n) is R(n − k − 1, n) for 0 ≤ k ≤ n − 1 [4, p. 375] and we can compute the weight distribution of any code from its dual code [4, p. 125–130]. Since the weight distribution of R(1, n) is simple, we can compute a detailed description of the weight distribution of R(n − 2, n). This turns out to be enough to enable us to prove the next theorem. Theorem 2. The case k = n − 2 of Conjecture 1 is true. In fact, we have B(n − 2, n) = 2−n [C(2n , 2n−1 ) + (2n − 1)C(2n−1 , 2n−2 )]
(6)
and all of the 2n − 1 cosets of R(n − 1, n)/R(n − 2, n) other than R(n − 2, n) have the same number of balanced functions, namely # Bal(f + R(n − 2, n)) = 2−n [C(2n , 2n−1 ) − C(2n−1 , 2n−2 )], where f is any function of degree n − 1.
(7)
T.W. Cusick / Conjectures on the Number of Balanced Boolean Functions of Bounded Degree
101
We will give the proof after one preliminary lemma. We shall need the Krawtchouk polynomials [4, p. 130] defined by Pk (x; N ) =
k j=0
(−1)j C(x, j)C(N − x, k − j),
k = 0, 1, 2, . . .
(8)
Lemma 1. Let Di denote the number of codewords of weight i for 0 ≤ i ≤ 2n in the code R(n − 2, n). Let Pk (x) denote the polynomial Pk (x; 2n ). Then Dk = 2−(n+1) [Pk (0) + (2n+1 − 1)Pk (2n−1 ) + Pk (2n )],
0 ≤ k ≤ 2n
(9)
and in particular D2n−1 = 2−n [C(2n , 2n−1 ) + (2n − 1)C(2n−1 , 2n−2 )].
(10)
Proof. Let Ai denote the number of codewords of weight i for 0 ≤ i ≤ 2n in the code R(1, n). Since R(n − 2, n) is the dual code of R(1, n), we have the formula n
−(n+1)
Dk = 2
2 j=0
Aj Pk (j),
0 ≤ k ≤ 2n
(11)
(see [4, p. 129, Eq. (13)]) which gives the connection between the weight distribution of a code and its dual code. Since only three of the Ai are nonzero, Eq. (9) follows from Eq. (11), and the only values of Pk (j) which we need are Pk (0) = C(2n , k),
Pk (2n ) = (−1)k C(2n , k)
(12)
and Pk (2n−1 ) =
k (−1)j C(2n−1 , j)C(2n−1 , k − j)
(13)
j=0
(with the conventions C(0, 0) = 1 and C(0, j) = 0 for j > 0, Eqs. (12) and (13) follow immediately from Eq. (8)). When k = 2n−1 , Eqs. (12) and (13) combined with the familiar binomial coefficient identity n−1 2
(−1)j C(2n−1 , j)2 = C(2n−1 , 2n−2 )
j=0
give Eq. (10). Of course D2n−1 in Lemma 1 is equal to B(n − 2, n) by definition, so Eq. (10) proves Eq. (6) in Theorem 2. If we define E(n − 1, n) = number of balanced functions of degree n − 1 in n variables,
102
T.W. Cusick / Conjectures on the Number of Balanced Boolean Functions of Bounded Degree
then the obvious formula B(n − 1, n) = C(2n , 2n−1 ) combined with Eq. (6) gives E(n − 1, n) = (1 − 2−n )[C(2n , 2n−1 ) − C(2n−1 , 2n−2 )].
(14)
Proof of Theorem 2. We have already seen that Eq. (10) in Lemma 1 gives Eq. (6) in the theorem. We see from Eq. (14) that the average number of balanced functions of degree n − 1 in the 2n − 1 cosets of R(n − 1, n)/R(n − 2, n) which contain such functions is exactly the right-hand side of Eq. (7). This proves Eq. (7) provided that we can show that all of those 2n − 1 cosets have the same number of balanced functions. This is true because there are only two orbits (that is, sets of cosets with the same weight distribution) in R(n − 1, n)/R(n − 2, n); the orbit count follows from the fact that it is trivial that R(1, n)/R(0, n) has two orbits, and by duality (see [8, p. 166] for example) the same is true for R(n − 1, n)/R(n − 2, n). Alternatively, it is not hard to see that there is a change of basis (linear transformation with determinant 1) which maps any coset g + R(n − 2, n), where g has degree n − 1, to any other such coset, in such a way that balanced functions are mapped to balanced functions (of course any change of basis preserves function weights). Thus the proof of Theorem 2 is complete. The case k = n − 3 of Conjecture 1 is not yet proved. Imitating the proof of Theorem 2 does not seem to work. Since the weight distribution of R(2, n) is known, we can in principle compute explicitly the weight distribution of the dual code R(n − 3, n). One way of doing this was given by Hou [8], but the explicit description for R(n − 3, n) seems to be too complex to allow the technique used in the proof of Theorem 2 to be carried out. We can give some interesting computational evidence for the truth of the case k = n − 3. This is so despite the fact that very few non-obvious values of B(k, n) can be computed, due to the huge size of the needed calculations. (The 11 known values as of 2007 are given in [1, p. 104, Table 1].) We define Av(n − 3, n) =
B(n − 2, n) − B(n − 3, n) 2C(n,2) − 1
to be the average number of balanced functions of degree n − 2 in the cosets of R(n − 2, n)/R(n − 3, n) which contain such functions and we define Q(n − 3, n) =
Av(n − 3, n) , B(n − 3, n)
which is the ratio of the average to the total number of balanced functions in R(n − 3, n). Conjecture 1 says Q(n − 3, n) < 1 (this inequality is also exactly the case k = n − 3 of Conjecture 2), and we believe that Q(n − 3, n) is actually very close to 1 for n > 5. This is the same thing as saying that, for n > 5, the inequality in Conjecture 2 for k = n − 3 is also an approximate equality. Table 1 gives numerical evidence for our conjecture that Q(n − 3, n) is very close to 1 for n > 5. We only have data for 4 ≤ n ≤ 7 since the value of B(5, 8) has not been computed exactly. Of course we can exactly compute B(n − 2, n) for all n from Eq. (6), but no such exact formula for B(n − 3, n) is known.
T.W. Cusick / Conjectures on the Number of Balanced Boolean Functions of Bounded Degree
103
Table 1. Numerical evidence for the closeness of Q(n − 3, n) to 1 when n > 5 n
Q(n − 3, n)
Av(n − 3, n)
B(n − 3, n)
870
B(n − 2, n)
4 .44
13.33
30
5 .5
18, 338
36, 518
18, 796, 230
6 .999008
8.73683 × 1011
874, 731, 154, 374
2.86348 × 1016
7 .99999999996766 8.922497198704 × 1028 8.922497198992 × 1028 1.871183284 × 1035
References [1] Th.W. Cusick and Y. Cheon, Counting balanced Boolean functions in n variables with bounded degree, Experimental Mathematics 16 (2007), 101–105. [2] R.J. McEliece, On periodic sequences from GF(q), J. Combinatorial Theory, Ser. A 10 (1971), 80–91. [3] R.J. McEliece, Weight congruences for p-ary cyclic codes, Discrete Mathematics 3 (1972), 177–192. [4] F.J. MacWilliams and N.J.A. Sloane, The Theory of Error-Correcting Codes, Elsevier, Amsterdam, 1977. [5] V.M. Sidel’nikov, Weight spectrum of binary Bose–Chaudhuri–Hocquenghem codes, Problems of Information Transmission 7 (1971), 11–17. [6] T. Sugita, T. Kasami, and T. Fujiwara, Weight distributions of the third and fifth order Reed– Muller codes of length 512, Technical Report NAIST-IS-TR96006, Nara Institute of Science and Technology, 1996, available online at http://isw3.aist-nara.ac.jp/IS/TechReport2/ report/96006.ps. [7] X. Hou, GL(m, 2) acting on R(r, m)/R(r − 1, m), Discrete Mathematics 149 (1996), 99–122. [8] X. Hou, The eigenmatrix of the linear association scheme on R(2, m), Discrete Mathematics 237 (2001), 163–184.
104
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-104
Bit-Parallel Circuits for Arithmetic in Finite Fields1 Sergey B. GASHKOV a and Igor S. SERGEEV a,2 a Moscow State University, Moscow, Russia Abstract. The paper surveys methods of constructing bit-parallel circuits for arithmetic operations in finite fields. Keywords. Galois field, multiplication, inversion, Boolean circuit, depth, complexity
Introduction Efficient implementation of arithmetic in finite fields is of primary importance for cryptography, coding theory, digital signal processing etc. (see, for example [1,2,3,4,5,6,7,8, 9,10]). In this survey we consider only Boolean circuits for arithmetic operations in finite fields. Another term: bit-parallel circuits. Boolean circuits for multiplication and inversion in finite fields are implemented physically on chips and are tailored for particular applications. These circuits are usually called multipliers and invertors. In practice the main interest lies in fields of characteristic two, but some fields of odd characteristic are also involved. In the last case elements of a field are coded by binary strings. Boolean circuits are composed from Boolean two-input cells (or gates) AND, NAND, OR, NOR, XOR, XNOR, connected by wires. Depth of a given circuit is the length of the longest directed path, connecting primary input and output of the circuit. Complexity of a given circuit (in other words, size of a circuit) is the number of cells in it. This notion is very close to the notion of bit complexity of computation (program). As usual, complexity (depth) of a Boolean function is defined as a minimum of complexities (depths) of circuits implementing it. All necessary definitions may be found in [11,12]. Minimization of the depth and the complexity of circuits is one of the central and practically important problems in the complexity theory. The field of order q is denoted by GF(q). Elements of GF(q n ) may be represented by polynomials over GF(q) of degree at most n − 1. If elements of GF(q n ) are represented in the standard basis 1 This work was partially supported by the Russian Foundation for Basic Research (grant no. 05-01-00994), Sci. Sch. (5400.2006.1), OMN RAN “Algebraic and combinatorial methods of mathematical cybernetics” program (project “Synthesis and complexity of control systems”). 2 Address of the authors: Department of Discrete Mathematics, Moscow State University, Leninskie Gory, Moscow, Russia; E-mail: [email protected] (S.B. Gashkov), [email protected] (I.S. Sergeev).
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
105
Bα = {α0 , α1 , . . . , αn−1 } (the element α ∈ GF(q n ) is called the generator of Bα ), then multiplication in Bα amounts to polynomial multiplication modulo an irreducible polynomial g(x) over 2 n−1 GF(q) such that g(α) = 0. If the conjugate elements α, αq , αq , . . . , αq are linearily independent over GF(q), then they form a basis 0 1 n−1 , B α = αq , αq , . . . , αq
which is called normal basis with generator α. (Theoretical background on finite fields may be found in [5,13].) Complexity of implementation of multiplication and inversion in GF(q) are denoted by M (GF(q)) and I(GF(q)) respectively. We also introduce notation DM (GF(q)) and DI (GF(q)) respectively for the depth of the operations. Similar notation is used for other operations. Sometimes it is convenient to consider calculations over subfield GF(p). For corresponding complexity and depth measures we use the same (p) notation with upper indices (p) like M (p) (GF(q)) or DI (GF(q)).
1. Integer Arithmetic Circuits implementing elementary numeric operations (namely, operations modulo p, where p is prime) are used as building blocks for circuits implementing operations in finite fields (of order pn ). This is why we discuss also some issues related to implementation of integer arithmetic. Complexity of addition (subtraction) of n-bit numbers (corresponding circuits are usually called adders or subtractors) is known to be A(n) = 5n−3 [14]. (A method due to V.M. Khrapchenko [15] allows one to build an adder of depth log n + (2 + o(1)) log n (here and further on “log” denotes binary logarithm); complexity of this circuit can be reduced to (8 + o(1))n [16]. In practice, when n is no more than several thousands, other methods result in better circuits. Some techniques for building such adders are presented in [16] (including ternary method due to M.I. Grinchuk with depth bound 1.262 log n + 2.05). The reader can find a comprehensive analysis of theoretical aspects of implementation of multiplication in [17]. In the present paper we consider mainly practical aspects. Complexity of multiplication of n-bit numbers is denoted by M (n). It is well known that the complexity of a standard multiplier is 6n2 − 8n + O(1). Standard multiplier can be constructed so that its depth reduced to O(log n) (using a method, proposed independently by G.K. Stolyarov [18], A. Avizienis [19], Yu.P. Ofman [20] and C. Wallace [21]). Minimization of the depth of a standard multiplier is one of extensively studied problems of computer science. To the best of our knowledge, the best current asymptotic upper bound is 4.44 log n + O(1) (see [22]). More practical method leads to the depth estimate 5 log n + 5 [23]. This method also provides a benefit in terms of complexity. The earliest method of reducing complexity of an integer multiplier is due to A.A. Karatsuba [20] (at that time he was a post-graduated student of Moscow State University (MSU), the problem was set by A.N. Kolmogorov). The recursive complexity estimate of Karatsuba’s integer multiplier is
106
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
M (2n) ≤ 3M (n) + 52n − 9. The upper bound for n = 2s is M (n) ≤
1463 log 3 ·n − 52n + 4.5. 54
Karatsuba’s multiplier has lower size than a standard one for n ≥ 17. But its depth is O(log2 n). Similarly to the case of standard multiplier, the depth of Karatsuba’s multiplier can be reduced to O(log n) (see, e.g., [12]). In [24] somewhat better construction was presented, but in any case multiplicative constants in estimates for depth and complexity are exceedingly large for practical applications (the depth of Karatsuba’s multiplier can be further reduced to (10 + o(1)) log n causing further increasing of the multiplicative constant in estimate for complexity [23]). Asymptotically better multiplier was constructed by A.L. Toom [25] (at that time he was a student of MSU, his scientific adviser was O.B. Lupanov). Toom’s multiplier was improved by A. Schönhage and V. Strassen [26] (see also [27]). The complexity of the last multiplier is O(n log n log log n), and the depth is O(log n) (more precisely, a bound (9 + o(1)) log n can be achieved [23]). The best known multiplier can be constructed by M. Fürer’s method [28], its complexity is n log n2log
∗
n
,
but its depth is O(log n log∗ n), where log∗ n is defined by ⌊log . . . log n⌋ = 1. *+ , ) log∗ n
Evidently the last two multipliers both can not find applications in cryptography, due to large multiplicative constants in estimates. Pollard’s multiplier [1,29] seems to have more chances for finding practical applications, but also could not be used in cryptography. As follows from [30], the complexity of Pollard’s multiplier is less than Karatsuba’s one only for n > 222 . In that paper bounds 30634n log n + 393n for the complexity and 349 log n + 50 for the depth of Pollard’s circuit was claimed under the restriction n < 201326604. From practical point of view Toom’s method is the best known. Using Toom’s method, A.A. Burtzev has built a multiplier with recursive estimate of complexity M (4n) ≤ 7M (n) + 662n + 1085, which leads for n = 4s , s ≥ 4, to the upper complexity bound M (n) ≤ 402.5nlog4 7 −
1085 662 n− . 3 6
In particular, M (1024) ≤ 1279651. Karatsuba’s method gives worse bound in this case. Efficient implementation of division seems to be an even more complicated problem. Circuits with asymptotically best known complexity (of the same order as for mul-
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
107
tiplication) can be constructed following Cook’s method [31]. The depth of such circuits is O(log2 n). The method of [32] allows one to reduce it to O(log n log log n). The size is of the same order as for O(log n)-depth multipliers in both cases. Employing Fürer’s technique leads to a circuit with somewhat higher estimated depth. In [33] division circuits of depth O(ǫ−2 log n) and complexity O(n1+ǫ ) for any positive parameter ǫ were constructed. However, all proposed methods except for the first one seem to be of academic interest only. 1.1. Prime Field Arithmetic Arithmetic in a finite field of prime order p is just the integer arithmetic modulo p. Complexity of addition (or subtraction) modulo n-bit number p can be estimated as 2A(n) + O(1). For Mersenne primes p = 2n − 1 this bound can be reduced to A(GF(p)) = 7n − 5. The depth in the last case is the same up to O(1) as the depth of integer addition-subtraction (i.e., theoretically (1 + o(1)) log n and practically 1.262 log n + O(1)). The same depth bound holds also for Fermat prime p = 2n + 1, the complexity in this case is A(GF(p)) = 9n + O(1). Multiplication by 2k in the Mersenne prime field for any integer k amounts to the cyclic shift which costs nothing in terms of circuit complexity. Complexity of multiplication by integer C, where C mod p can be represented as a sum of l(C) powers of two, can be estimated as M (C, p) ≤ (l(C) − 1)A(GF(p)). For instance, M (17, p) ≤ A(GF(p)). Analogously for multiplication by 2k in Fermat prime field the following complexity and depth estimates can be obtained: M (2k , p) ≤ 5A(GF(p))/9 + O(1), DM (2k , p) = (1 + o(1)) log n ≤ 2 log n. In the general case of multiplication by C complexity estimate takes a form M (C, p) ≤ (l(C) − 1)A(GF(p)) + (5n + O(1))l(C). For instance, M (3, p) ≤ 14A(GF(p))/9 + O(1). Estimates 6n2 − n + O(1) and 4.97 log n + O(1) are known for complexity and depth of a standard multiplier modulo Mersenne prime p. In the Fermat case analogous estimates are 6n2 + 11n + O(1) and 4.97 log n + O(1). Complexity of multiplication modulo arbitrary prime p is bounded as M (GF(p)) ≤ 3M (log p) + O(log p), where M (n) is the complexity of multiplication of n-bit numbers. See, for instance [34, 35] (the method perhaps comes back to [31,36]). We also refer the reader to [35,27] for comparison with modular polynomial multiplication.
2. Multiplication in General Finite Fields Let Mq,f (n) be the total number of operations over GF(q) (or the complexity over GF(q)) required for multiplication of polynomials modulo f , deg f = n. Similarly one
108
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
can define mq,f (n)—multiplicative complexity and aq,f (n)—additive complexity (i.e., the number of multiplicative and additive operations over GF(q) respectively). Then M (GF(q n )) ≤ Mq,f (n)M (GF(q)) for any irreducible polynomial f (x) over GF(q). To be more precise, M (GF(q n )) ≤ mq,f (n)M (GF(q)) + aq,f (n)A(GF(q)). We also use the notation Mq (n) for the complexity over GF(q) of multiplication of polynomials of degree less than n. Analogously mq (n) and aq (n) denote multiplicative and additive complexity. Strassen’s method [36] (see also [27,35]) implies that for any f mq,f (n) ≤ 3mq (n),
aq,f (n) ≤ 3aq + O(n).
If f (x) is a sum of k monomials, then Mq,f (n) ≤ Mq (n) + (2k + 1)n, and if q = 2 then M2,f (n) ≤ M2 (n) + kn. It is well-known hypothesis that one can always choose an irreducible polynomial f with k ≤ 5. Therefore Mq,f (n) ≤ Mq (n)(1 + o(1)). In [37] (see also [27]) is proved that estimates mq (n) = O(n log n) and aq (n) = O(n log n log log n) can be achieved simultaneously. In [38] a multiplicative constant in this estimate was refined. But both methods seem not to be applicable in cryptography or coding theory. The reason will be explained below. It is known (see, e.g., [29]) that in the case 2n − 1 ≤ q the multiplicative complexity of multiplication in GF(q n ) is 2n − 1. The main idea of upper bound was proposed by A.L. Toom [25] and the proof of the lower bound is due to S. Winograd. It was shown in [39] that in the general case multiplicative complexity is O(n) as well. The reader can find improved estimates in [40] and in several papers by Ballet et al., see, e.g., [41]. On the other hand additive complexity of these methods is not that low. Therefore the above methods seem to have no practical applications. 2.1. Polynomial Multiplication First, consider the case of binary polynomial multiplication. Complexity and depth estimates of the “school” method are M (n) = n2 + (n − 1)2 ,
DM (n) = 1 + ⌈log2 n⌉.
For n ≈ 1000 one has M (n) ≈ 2000000, D(n) = 11. The recursive complexity estimates for Karatsuba’s method look as follows M (2n) ≤ 3M (n) + 8n − 4, M (2n + 1) ≤ 2M (n + 1) + M (n) + 8n − 2, implying for n = 2k , k ≥ 3, the next relations:
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
M (n) ≤
55 k 3 − 8n + 2, 9
109
DM (n) ≤ 3k − 3.
In particular, for n = 1024 we have M (n) ≤ 352665, D(n) ≤ 27. Using Schönhage’s [37] FFT method a circuit for cyclic convolution with complexity Z(2187) ≤ 428351 and depth DZ (2187) ≤ 46, or a circuit with bounds Z(2187) ≤ 430537 and DZ (2187) ≤ 34 can be constructed. As a corollary we have M (1024) ≤ M (1093) ≤ 430537,
DM (1024) ≤ DM (1093) ≤ 34.
In this case Karatsuba’s multiplier is more efficient. On the other hand, Karatsuba’s method for convolution allows one to build circuits with Z(2048) ≤ 1066183,
DZ (2048) ≤ 30.
In this case FFT method is preferable. Another example: multiplication modulo x1458 +x729 +1 can be implemented using FFT method with complexity 273850, and depth 33. In this case Karatsuba’s method again plays over. There also exists D. Cantor’s method [42] for polynomial multiplication over finite fields. The asymptotic complexity of this method is slightly greater than FFT’s, but for some medium-sized fields Cantor’s method may be preferable. In [43] a modification of Cantor’s method and some applications to polynomial factorization were considered. 2.2. Multiplication in Standard Bases Various architectures of multipliers for standard bases were proposed in [44,45,46]. Generally complexity and depth of these multipliers are estimated as O(n2 ) and O(log n) respectively. It was shown in [47], that sometimes using a standard basis with irreducible polynomials of maximum weight, i.e., polynomials of the form 1 + x + · · · + xm−1 + xm+1 + · · · + xn , offers a benefit. Multipliers of asymptotic complexity O(nlog 3 ) can be constructed following Karatsuba’s method. Some aspects of application of Karatsuba’s method to multiplication in GF(2n ) are discussed in [48,49]. For example, multiplication in GF(21024 ), when an irreducible polynomial is taken to be x1024 + x19 + x6 + x + 1, can be implemented by a circuit with M (GF(21024 )) ≤ 356865,
DM (GF(21024 )) ≤ 31.
110
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
2.3. Multiplication in Normal Bases Numerous methods for multiplication in normal bases are known by now, e.g., [5,50, 51,52,53,54]. Let T = (ti,j ) be a matrix, whose i-th row is the vector of entries of i ααq ∈ GF(q n ) with respect to normal basis B α . A number of nonzero entries in the matrix T is called complexity of the basis B α and is denoted C(B α ). If ξ=
n−1
i
xi α q ,
ζ=
n−1
yj α q
j
j=0
i=0
are some elements of GF(q n ), then the product π = ξζ may be computed by the formula π=
n−1
m=0
m
pm α q ,
pm =
n−1
ti−j,m−j xi yj = A(S m (x), S m (y)),
i,j=0
where S m (v) is the cyclic shift of a given vector v by m positions, A(u, v) is the bilinear form associated with the matrix A = (ai,j ), with the condition ai,j = ti−j,−j and indices i − j and −j are handled modulo n. This Massey–Omura algorithm [50] for multiplication over normal basis B in GF(q n ) requires n(2C(B)+n−1) operations over the subfield GF(q). In [51] a more efficient algorithm with the bound n(C(B)+3n−2)/2 was proposed. But both these bounds are at best quadratic in n, and cubic in the worst case. Alternatively, an idea of transition to the standard basis representation of the field elements may be exploited. Usual method for implementation of such transition rests on the fact that transition is a linear operator over the subfield GF(q). Thus, the transition can be implemented by a circuit of O(n2 / logq n) complexity and O(log n) depth. This is a corollary to a classical result due to O.B. Lupanov [55]. In [56] circuits for transition between standard and normal bases with complexity O(n1.806 ) and depth O(log n) were constructed. (The same estimate for the complexity of single-direction transition had been proven earlier in [57] with a worse depth bound.) Such transition circuits allow to perform multiplication in GF(q n ) using O(n1.806 ) operations over GF(q) in depth O(log n). In [56] another construction for transition circuits was proposed, which implies for any normal basis B that the following estimates hold simultaneously: √ M (q) (GF(q n )) = O( nC(B) + n1.667 + n1.5 log q log n log log n), √ (q) DM (GF(q n )) = O( n log q log n). Particularly, if B is a low complexity basis, i.e., C(B) = O(n1.167 ), and q is small enough, i.e., log q = o(n0.167 ), then M (q) (GF(q n )) = O(n1.667 ). But multiplicative constants in the estimates above are pessimistic. For some special but important cases better bounds are known. Normal bases in GF(q n ) of the minimal complexity 2n − 1 are called optimal normal bases (ONB). All these bases were enumerated in [58]. Any ONB belongs to one of three types. ONB of type I exists iff n + 1 = p is a prime number, and q is a primitive element modulo p. Type II and III ONB exist iff q = 2m , (m, n) = 1, 2n + 1 = p is a prime, and either 2 is
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
111
a primitive element modulo p (type II) or n is odd and −2 is a primitive element modulo p (type III). There are also various kinds of low complexity normal bases with C(B) = O(n) [59,60,52,61]. Using the method of [62] the following bound for the type k Gauss normal basis may be obtained: M (GF(q n )) ≤ (Mq (kn) + 7kn − 8)M (GF(q)). In the particular case of q = k = 2 (which is the ONB case) this result was obtained later in [53] independently and was patented. For the type I ONB one has M (GF(q n )) ≤ (Mq (n) + 7n − 8)M (GF(q)). For the type II and III ONB the bounds M (q) (GF(q n )) ≤ 3Mq (n) + O(n log n), M (GF(2n )) ≤ 3M (n) +
3n log n + O(n) 2
were proved in [54]. Under certain conditions the latter bound may be improved. For example [9], if n = 3 · 2k − 1 and ONB of type II or III exists, then for the complexity and the depth of multiplication in this basis we have M (GF(2n )) ≤ M (n) +
7n log n + 4n, 2
DM (GF(2n )) ≤ D(n) + 2 log n + 2 log log n + O(1). In particular, M (GF(2191 )) ≤ 31600,
D(GF(2191 )) ≤ 44.
For comparison, a method of the paper [51] implies the bound M (GF(2191 )) ≤ 90916. Note, that some of the algorithms presented above use for multiplication in the particular fields GF(q n ) a linear number of multiplications in GF(q).
3. Inversion in General Finite Fields The best known asymptotic complexity estimate for inversion in a standard basis of GF(q n ) is O(n log2 n log log n) that follows from the fast extended GCD Schönhage’s algorithm [63] (see also [64,27] and modification of the algorithm in [65]). The depth of the circuit is O(n) and the method seems to be not applicable in cryptography. Usual binary GCD algorithm can be implemented by a circuit of complexity O(n2 ) and even greater depth O(n log n). The latter method looks more practical, however all known GCD-based algorithms are intrinsically sequential. In practice, this methods are used for software implementation only.
112
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
3.1. Addition Chain Method A sequence of natural numbers a0 = 1, a1 , . . . , am = n, in which each number ai is a sum aj + ak , where j, k < i (indices j and k may coincide), is called an addition chain for n. Parameter m is called a length of the addition chain. The length of the shortest addition chain for n is denoted by l(n). Comprehensive study of addition chains including all classical results may be found in [66]. Put λ(n) = ⌊log n⌋. It is known that l(n) = λ(n) + (1 + o(1))
λ(n) . λ(λ(n))
The upper bound is due to A. Brauer [67] and proof of the lower bound is due to P. Erd˝os. Evidently raising to the n-th power using only multiplications corresponds to conn structing of an addition chain for n. Fermat’s identity x = xq for any x ∈ GF(q n ) n implies that inversion in GF(q ) is equivalent to raising to the power q n − 2. This forms background for the use of addition chains in constructing invertors. A.Brauer [67] proposed an appropriate way to build an addition chain for 2n − 1 starting from an addition chain for n. His method easily extends to calculation of (q n − 1)/(q − 1) where multiplications by q are used instead of doubling steps. n Denote y = x(q −q)/(q−1) . To calculate inverse fast, one can use identity x−1 = n y(xy)−1 , as proposed in [68]. Clearly, xy ∈ GF(q), as far as (xy)q−1 = xq −1 = 1. n−1 For computation of y = (x(q −1)/(q−1) )q either Brauer’s or Itoh–Tsujii [68] method can be used (actually, the latter is just a special case of Brauer’s method). To finish calculations one has to multiply x by y (it is simpler than in the general case, due to the fact that the product belongs to subfield) and divide by xy ∈ GF(q). In the case q = 2 one needs only calculate y = x−1 . Less elegant approach based on the formula x−1 = x(q
n−1
−1)q q−2
x
was followed in [69]. Let F (GF(q n )) and DF (GF(q n )) denote the complexity and the depth of the circuit k implementing a Frobenius operation x → xq in GF(q n ). Let also d(n) denote the depth of a shortest addition chain for n. Using the addition chain method and a result of paper [70] a standard basis invertor with complexity and depth I (q) (GF(q n )) ≤ (l(n − 1) + 1) M (q) (GF(q n )) + F (q) (GF(q n )) + n = O(n1.667 ), (q) (q) (q) DI (GF(q n )) ≤ (d(n − 1) + 1) DM (GF(q n )) + DF (GF(q n )) + 1 = O(log2 n) can be constructed. The same scheme of calculations in the case of a normal basis implies the following bounds: I (q) (GF(q n )) ≤ (l(n − 1) + 1)M (q) (GF(q n )) + n = O(n1.806 ), (q)
(q)
DI (GF(q n )) ≤ (d(n − 1) + 1)DM (GF(q n )) + 1 = O(log2 n),
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
113
since the Frobenius operation is simply a cyclic shift of a field element coefficients in the normal basis, which has zero complexity. Additive terms n in both complexity bounds and 1 in both depth bounds can be omitted in the case q = 2. For a smooth number n the complexity of this invertors may be decreased, but at the cost of increasing their depth. The above estimates based on the A.Brauer’s (1939) method seem to be hardly familiar to cryptographers. Some particular cases of the Brauer’s method like Itoh–Tsujii method [68] or TYT-method [71] are frequently cited and exploited. These methods does not provide optimal complexity (for example, method [71] yields to the general Brauer’s for n = 24, 44, 47, . . . ). Using the Brauer’s method some very recent results can be improved straightforwardly, e.g., the complexity bounds [72] for inversion in the fields GF(2384 ), GF(2480 ) (see details in [73], see also [69]). To minimize the depth of invertor we may use a version of right-to-left binary method (see [66,73]). The method allows one to build a minimal depth δ(n) = ⌈log2 n⌉ addition chain for n with the length λ(n) + ν(n) − 1, where ν(n) is the number of 1’s in the binary representation of n. The length of such a chain is at most 2λ(n), this bound is tight. Using a modified Yao’s method [74], an addition chain for n with the depth δ(n) + 1 and asymptotically minimal length λ(n) +
λ(n) O(λ(n)λ(λ(λ(n)))) + λ(λ(n)) (λ(λ(n)))2
was constructed in [73]. Thereby, a standard-basis invertor of complexity I
(q)
n
(GF(q )) ≤
λ(n) λ(n − 1) + (1 + o(1)) λ(λ(n)) × M (q) (GF(q n )) + F (q) (GF(q n ))
and depth (q) (q) (q) DI (GF(q n )) ≤ (δ(n) + 1) DM (GF(q n )) + DF (GF(q n )) + 1 can be constructed. Analogous bounds for normal basis take the form: I (q) (GF(q n )) ≤ (q)
λ(n − 1) + (1 + o(1))
λ(n) λ(λ(n))
M (q) (GF(q n )),
(q)
DI (GF(q n )) ≤ (δ(n − 1) + 1)DM (GF(q n )) + 1. Actually, for any n ≤ 228 there exists a minimal length chain of the depth at most δ(n) + 1. For any n ≤ 1024 there exists a minimal length chain of the depth at most δ(n) + 2.
114
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
3.2. Logarithmic Depth Method The GF(q n ) invertors of logarithmic depth (over GF(q)) invertors were presented in [75,76] (the former paper considers the binary case). The authors didn’t estimate complexity and depth of the circuits more tightly than nO(1) and O(log n) respectively. In fact, the multiplicative constants involved are rather large. Invertor in GF(2n ) of the depth (6.44 + o(1)) log n and complexity (2/3)n4 + o(n4 ) was constructed in [77] (the result holds for an arbitrary field basis). In the same paper a standard basis invertor with the depth O(log n) and complexity O(n1.667 ) was constructed. The latter result was extended in [78] to the case of the general field GF(q n ). As a corollary, a normal basis invertor of complexity O(n1.806 ) and depth O(log n) can be constructed. This method [78] looks like a parallel version of addition chain method. It involves multiple multiplications. We denote complexity and depth of multiplication of m elements in the field GF(q n ) by M M (m, GF(q n )) and DM M (m, GF(q n )) respectively. Combining ideas from [79,33,32] the following bounds for multiple multiplication circuit were proved in [78]: −3 M M (q) (m, GF(q n )) = O lc m1+ǫ n1+l (log(mn) log log(mn) + l3 ) , (q)
DM M (m, GF(q n )) = O(l log m + ǫ−1 log n),
where l is a natural, ǫ is a positive parameters and c is a certain constant. √ The use of multiple multiplications rests on the following result [77,78]: let m = ⌈ r n⌉, r ∈ N. Then raising to the power (q n −q)/(q −1) in GF(q n ) can be implemented by a circuit with complexity and depth (2r − 1)(mF (GF(q n )) + M M (m, GF(q n ))) + (r − 1)M (GF(q n )), 2(DF (GF(q n )) + DM M (m, GF(q n ))) + DM (GF(q n ))
+ (r − 2) max{DF (GF(q n )) + DM M (m, GF(q n )), DM (GF(q n ))} respectively. As before, two more operations are required to finish inversion. Finally, for any r ∈ N a standard basis invertor with the following complexity and depth estimates can be constructed: I (q) (GF(q n )) = O(rn1/r (nw + n1.5 log n log log n)), (q)
DI (GF(q n )) = O(r log n), where w is somewhat smaller then 1.667. One can set r to be large enough to obtain a logarithmic depth circuit of complexity O(n1.667 ). Better bounds in both standard and normal cases may be obtained if the transition between the bases is performed fast. Denote by T (GF(q n )) and DT (GF(q n )) complexity and depth of a transition circuit (bilateral transition is considered). Then exploiting an idea that multiplication is faster in standard bases and Frobenius operation is faster in normal bases the following bounds for the inversion in either of the bases could be obtained [78]:
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
115
√ I (q) (GF(q n )) = O Rb n1+2/R + O R R n T (q) (GF(q n )), (q) (q) DI (GF(q n )) = O R log n + DT (GF(q n )) ,
where b < 2.12 and R is a natural parameter which is either constant or some very slowly growing function with respect to n. Therefore, if a transition circuit of almost linear complexity and logarithmic depth exists, then a logarithmic depth invertor of almost linear complexity can be constructed. For instance, an invertor in type k Gauss normal basis of the field GF(q n ) of complexity O(ǫ−b n1+ǫ ) and depth O(ǫ−1 log n), where ǫ > 0, can be constructed under the condition k = o(log n). All the above logarithmic depth circuits are of minor actual significance though some application-oriented modifications increasing asymptotic complexity are possible.
4. Arithmetic in Composite Fields In [49] the authors proposed an architecture for parallel multipliers in GF(24n ). Different approaches to implementing arithmetic in composite fields were described in [80,81,51, 45]. Combining [54,56], one can prove that if n and m are coprime, then for some normal basis M (q) (GF(q nm )) = O(nm(m0.806 + n0.806 )). Particularly, if n = Ω(m), then M (q) (GF(q N )) = O(N 1.403 ),
N = nm.
If N is an ǫ-smooth number, i.e., N = n1 . . . nm , all ni are coprime, n1 + · · · + nm = O(N ǫ ), then M (q) (GF(q N )) = O(N 1+0.806ǫ ). But the depth of this circuit is prohibitively high. 4.1. Multiplication and Inversion in Towers of Fields For the tower of fields GF(2n ), n = 2k , multiplier and invertor of complexity M (GF(2n )) = O(n1.58 ),
I(GF(2n )) = O(n1.58 )
were constructed in [82]. The method implies, for example, M (GF(21024 )) ≤ 357992,
I(GF(21024 )) ≤ 538033.
But the depth of the invertor is Ω(log3 n). In [83] it was proved that for any ǫ > 0 and any natural m > 1 one may choose a basis in the field GF(2n ), n = ms , s ≥ sǫ , in such way that M (GF(2n )) < n1+ǫ/2 ,
I(GF(2n )) < n1+ǫ .
116
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
In particular, estimates M (GF(2162 )) ≤ 19525,
I(GF(2162 )) ≤ 106278,
M (GF(2486 )) ≤ 158468,
I(GF(2486 )) ≤ 481789
were obtained employing a method with the next asymptotic complexity bounds for n = 8 · 3k : I(GF(2n )) = O nlog3 5 ,
M (GF(2n )) = O nlog3 5 .
The method looks more appropriate when n is of order of several thousands. The depth is also high. Further, for n = 2 · 3k M (GF(2n )) < n(log3 n)
log2 log3 n +O(1) 2
I(GF(2n )) < n(log3 n)
log2 log3 n +O(1) 2
, .
4.2. Minimization of Inversion Depth in Composite Fields Methods to be observed in this section aim at constructing depth-efficient circuits for practical values of field’s order, though theoretically their depth is estimated as Ω(log2 n). Suppose that n is odd, DM (GF(2n )) ≥ DS (GF(2n )) + 1, where S(GF(2n )) is the complexity of squaring in GF(2n ). Applying a method from the paper [84], one can construct invertor and multiplier with the following recursive bounds on the complexity and the depth: M (GF(22n )) ≤ 3M (GF(2n )) + 4n,
DM (GF(22n )) ≤ DM (GF(2n )) + 2,
I(GF(22n )) ≤ I(GF(2n )) + 3M (GF(2n )) + S(GF(2n )) + 2n, DI (GF(22n )) ≤ DI (GF(2n )) + 2DM (GF(2n )) + 1. All results mentioned in the rest of this subsection were obtained in [85,86]. Suppose that (n, 3) = 1, B2 = {α, α2 , α4 } is the ONB in GF(23 ), where α3 = 2 α + 1, and B1 is any basis in GF(2n ), DM (GF(2n )) ≥ DS (GF(2n )) + 2, then for multiplication in B = B1 ⊗ B2 we have M (GF(23n ) ≤ 6M (GF(2n )) + 12n,
DM (GF(23n )) ≤ DM (GF(2n )) + 3.
Further, for inversion in B we have the following recursions: I(GF(23n )) ≤ I(GF(2n )) + 9M (GF(2n )) + 3S(GF(2n )) + 8n, DI (GF(23n )) ≤ DI (GF(2n )) + 3DM (GF(2n )) + 1. If B1 is a normal basis, then S(GF(2n )) = 0.
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
117
If in the field tower GF(((2n )2 )2 ) the ONB {α1 , α12 } and the standard basis {1, α2 }, where α12 + α1 = 1, α22 + α2 = α1 , are chosen, then for the complexity and the depth of a multiplier the next relations hold M (GF(24n )) ≤ 9M (GF(2n )) + 20n,
DM (GF(24n )) ≤ DM (GF(2n )) + 4.
If we choose a normal basis in GF(2n ), then one can construct an invertor with the following recursive relations for complexity and depth I(GF(24n )) ≤ 14M (GF(2n )) + 14n + I(GF(2n )), DI (GF(24n )) ≤ 3DM (GF(2n )) + 2 + max{DI (GF(2n )), 2}. Suppose that (n, 5) = 1, B2 = {α, α2 , α4 , α8 , α16 }, where α5 = α4 + α2 + α + 1, B1 is any normal basis in GF(2n ) and B = B1 ⊗ B2 . Then for the multiplication in the basis B the next relations hold: M (GF(25n )) ≤ 15M (GF(2n )) + 40n,
DM (GF(25n ) ≤ DM (GF(2n )) + 4,
and for inversion: I(GF(25n )) ≤ I(GF(2n )) + 91M (GF(2n )) + 117n, DI (GF(25n ) ≤ DI (GF(2n )) + 3DM (GF(2n )) + 1 + max{DM (GF(2n )), 6}. The field GF(26n ) can be represented as an extension of GF(2n ) of degree 6. We choose in GF(26 ) an ONB B2 = {α, α2 , α4 , α8 , α16 , α32 }, where α6 = α5 +α4 +α+1. Also we choose in GF(2n ) arbitrary basis B1 and consider the basis B = B1 ⊗ B2 in GF(26n ). Suppose that DM (GF(2n )) ≥ DS (GF(2n )) + 2. Then for multiplication and inversion in B one has: M (GF(26n )) ≤ 21M (GF(2n )) + 60n,
DM (GF(26n )) ≤ DM (GF(2n )) + 4,
I(GF(26n )) ≤ I(GF(2n )) + 42M (GF(2n )) + 5S(GF(2n )) + 65n, DI (GF(26n )) = 4DM (GF(2n )) + 4 + max{DI (GF(2n )), 4}. Suppose that (n, 2) = 1, B1 = {α1 , α12 } ⊗ {1, α2 }, where α12 + α1 = 1, α22 + α2 = α1 and B2 = B1 ⊗ {1, α3 }, where α32 + α3 = α1 α2 , B is arbitrary basis in GF(2n ), then for the basis B2 ⊗ B in GF(28n ) the following relations hold: M (GF(28n )) ≤ 27M (GF(2n )) + 80n,
DM (GF(28n )) ≤ DM (GF(2n )) + 7.
If B is the normal basis, then I(GF(28n )) ≤ I(GF(2n )) + 45M (GF(2n )) + 101n, DI (GF(28n )) ≤ 4DM (GF(2n )) + 8 + max{DI (GF(2n )), 6}.
118
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
Table 1. I(GF(2n ))
DI (GF(2n ))
10
220
14
12
293
16
15
590
20
16
499
23
20
905
21
24
1 162
24
30
1 925
29
36
4 438
30
40
3 355
30
120
36 230
54
210
88 000
67
330
171 009
71
690
712 655
101
n
If we choose in GF(24 ) an ONB B1 = {α, α2 , α4 , α8 }, where α4 = α3 +α2 +α+1, then in GF(28 ) there exists a basis B2 = B1 ⊗ {1, β}, such that β 2 + β = α. One can choose in GF(2n ) a normal basis B and consider the basis B2 ⊗ B in GF(28n ). For the chosen basis in GF(28n ) the following bounds for the complexity and the depth are valid: M (GF(28n )) ≤ 30M (GF(2n )) + 82n,
DM (GF(28n )) ≤ DM (GF(2n )) + 5,
I(GF(28n )) ≤ I(GF(2n )) + 52M (GF(2n )) + 88n, DI (GF(28n )) ≤ 4DM (GF(2n )) + 6 + max{DI (GF(2n )), 2}. Let (n, 30) = 1. Then in GF(230n ) a normal basis can be chosen and multiplier and invertor can be constructed to prove relations: M (GF(230n )) ≤ 315M (GF(2n )) + 1140n, DM (GF(230n )) ≤ DM (GF(2n )) + 8, I(GF(230n )) ≤ I(GF(2n )) + 566M (GF(2n )) + 1537n, DI (GF(230n )) ≤ 6DM (GF(2n )) + 17 + max{DI (GF(2n ))
+ max{DM (GF(2n )), 6}, DM (GF(2n )) + 8}.
Table 1 shows bounds on the depth and complexity of inversion in certain fields of characteristic 2. 5. Arithmetic in Pseudo-Mersenne Fields A prime number q of the form 2n ± c, where c is small, is called pseudo-Mersenne prime number. Several techniques for implementing multiplication in pseudo-Mersenne fields GF(q n ), n = 2k , 3k , were proposed in [87,88]. Special bases (so called optimal tower bases) were used.
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
119
5.1. Multiplication in Optimal Tower Fields Improving the results of [87], in [88] multipliers of complexity k 1 ≤ 3k M (GF(q)) + 5(3k − 2k )A(GF(q)) + (3k − 1)M (α0 , q), M GF q 2 2 k 2 ≤ 6k M (GF(q)) + 5(6k − 3k )A(GF(q)) + (6k − 1)M (α0 , q) M GF q 3 5
were constructed, where x2 − α0 , x3 − α0 are irreducible binomials over GF(q), α0 ∈ GF(q), M (α0 , q) is the complexity of multiplication by α0 in GF(q). As a consequence, M (GF(q 4 )) ≤ 9M (GF(q)) + 25A(GF(q)) + 4M (3, q), M (GF(q 8 )) ≤ 27M (GF(q)) + 95A(GF(q)) + 13M (3, q), M (GF(q 32 )) ≤ 243M (GF(q)) + 1055A(GF(q)) + 121M (3, q). Some effective applications of similar results in hyperelliptic cryptography were noted in [89]. In [90] some improvements were proposed for this circuits based on FFT in the case of Fermat number q = 216 + 1. Independently related results were obtained in [54], namely for q = pn , p = 216 +1, the next bound was proved: k
M (GF(q 2 )) ≤ 2k+1 M (GF(q)) + 2k+1 (3k + 1)A(GF(q)) + (3(2k (k − 1) + 1) + k + 2)M (2s , q). Using convolution modulo x(x2
k+1
− 1)/(x2 − 1) it was proved [91] that
M (GF(q 4 )) ≤ 7M (GF(q)) + 59A(GF(q)) + 3M (3, p), M (GF(q 8 )) ≤ 15M (GF(q)) + 193A(GF(q)) + 7M (3, p), M (GF(q 16 )) ≤ 31M (GF(q)) + 558A(GF(q)) + 15M (3, p), M (GF(q 32 )) ≤ 63M (GF(q)) + 1525A(GF(q)) + 31M (3, p). Construction of the circuit√on which the latter bound was achieved rests on the existence of the primitive root 2 = 24 (28 − 1) of order 64 in the field GF(p). As follows from Winograd’s theorem (see, for example, [2]), multiplicative constants in the terms involving M (GF(q)) in the above estimates are minimal. For q = pn , p = 213 − 1, n = 2k0 · 3k1 · 5k2 · 7k3 · 13k4 , where k0 = 0, 1, the following relations were proved in [91]: M (GF(q 7 )) ≤ 13M (GF(q)) + 344A(GF(q)) + 6A(GF(p)), M (GF(q 13 )) ≤ 26M (GF(q)) + 1026A(GF(q)) + 12A(GF(p)). Also in [91] analogous bounds were proved for q = pn , p = 217 − 1, n = 2k0 · 3k1 · 5k2 · 17k3 , where k0 = 0, 1:
120
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
M (GF(q 9 )) ≤ 17M (GF(q)) + 578A(GF(q)) + 6A(GF(p)), M (GF(q 18 )) ≤ 35M (GF(q)) + 1825A(GF(q)) + 17A(GF(p)). These results rely on using FFT modulo Mersenne prime p corresponding to primitive roots ±2 of order p or 2p. In the last case FFT is performed by the Good–Thomas method (see [2]). Multiplication in GF(q n ) was implemented using 3 FFT’s and reduction modulo an irreducible binomial. The method proposed in the paper [92] requires 2 FFT’s on the average when batch calculation of sufficiently many multiplications in GF(q n ) is performed. This method was called modular multiplication in the frequency domain since all the operations are performed over Fourier-images of input data. For modular multiplication Montgomery method was used. For example, if binomial xn −2 is irreducible over GF(p), p = 2m −1, 2n − 1 ≤ m then the complexity of modular multiplication in the frequency domain is mM (GF(p)) + (m − 1)M (1/m, p) + (6m2 − 7m + O(1))A(GF(p)). In the case of 2n − 1 < 2m complexity bound 2mM (GF(p)) + (m − 1)M (1/m, p) + (4m2 − 4m + O(1))A(GF(p)) was obtained. Effective application of this results in elliptic curve cryptography was demonstrated in [93]. We remark that instead of Montgomery multiplication one can apply the usual modular multiplication. It leads to some simplifications, but corresponding algorithm for modular multiplication in the frequency domain requires roughly 2m2 more multiplications by 2k as compared to the algorithm from the paper [92]. This difference turns out to be significant for software implementation, but is of minor significance for implementation of a circuit in hardware.
6. Multiplication in Fields of Small Characteristic In the last 7 years numerous papers on the so-called pairing-based cryptography were published. A problem of primary practical importance in this research direction is the efficient implementation of pairings. In [94] an efficient algorithm was proposed for Tate pairing in some supersingular curves over fields of characteristics 3. The performance of this algorithm depends on the efficient implementation of arithmetic in GF(3n ). Various approaches to this problem were developed in [95,96,97,98]. In [99,100] a fast algorithm was presented for Tate pairing on hyperelliptic curve y 2 = xp −x+d, d = ±1, over the field GF(pn ). In the case p = 3 this algorithm is more efficient than that of the paper [94]. In [101] some improvements of Duursma–Lee (DL) algorithm for binary fields were suggested. In fact, similar improvements are possible in general case (see, e.g., [10]). Another improvement of the DL algorithm was suggested in [102]. To implement the DL algorithm for general case, one needs a circuit for arithmetic in GF(p2pn ), (2p, n) = 1, p = 4k + 3.
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
121
For this purpose one can use a multiplier in GF(p2pn ), (2p, n) = 1, p = 4k + 3, with complexity estimate M (GF(p2pn )) ≤ (6p − 3)M (GF(pn )) + O(p2 nM (GF(p))). The proof of this bound is based on the Toom’s method. It may be shown that in certain sense the complexity of the DL algorithm decreases when p increases. The smallest field to be of some interest is the field GF(714n ) which corresponds to the case p = 7. Efficient implementation of arithmetic in this field leads to improvements in a method of paper [103]. The following complexity and depth estimates for multiplication in GF(714n ) were proved in [104]: M (GF(714n )) ≤ 13M (GF(72n )) + 258nA(GF(7)), DM (GF(714n )) ≤ 11DA (GF(7)) + DM (GF(72n )). Particularly, M (GF(714·31 )) ≤ 698 554. 7. Addendum Recently C. Umans [105] published a new algorithm for modular composition of polyk nomials over fields of small characteristic. As follows, Frobenius operation x → xq in GF(q n ) can be implemented with n1+o(1) complexity over GF(q), provided characteristic of the field is p = no(1) . It leads to improvements in complexity bounds of related operations. For instance, complexity of transition between standard and normal bases by method [56] decreases to O(n1.667 ). As another corollary, an almost linear complexity bounds for some inversion algorithms can be proved. Improved complexity bound for multiplication in type II and III ONB M (q) (GF(q n )) ≤ Mq (n) + O(n log n) was obtained in [106]. Method proposed in the paper [106] is essentially the same, that in [54], but it saves two multiplications of polynomials.
References [1] J.H. McClellan, C.M. Rader, Number theory in digital signal processing, Prentice-Hall, 1979. [2] R.E. Blahut, Fast algorithms for digital signal processing, Addison-Wesley, Reading, Massachusetts, USA, 1985. [3] G.B. Agnew, R.C. Mullin, I.M. Onyszchuk, S.A. Vanstone, An implementation for a fast public-key cryptosystem, Journal of Cryptology 3 (1991), 63–79. [4] G.B. Agnew, T. Beth, R.C. Mullin, S.A. Vanstone, Arithmetic operations in GF(2m ), Journal of Cryptology 6 (1993), 3–13. [5] D. Jungnickel, Finite fields. Structure and arithmetic, Wissenschaftsverlag, Mannheim, Leipzig, Wien, Zurich, 1993. [6] A.J. Menezes, P.C. van Oorshot, S.A. Vanstone, Handbook of applied cryptography, CRC Press, 1997. [7] I. Blake, G. Seroussi, N. Smart, Elliptic curves in cryptography, Cambridge University Press, 1999.
122
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
[8] I. Blake, G. Seroussi, N. Smart, Advances in elliptic curve cryptography, Cambridge University Press, 2005. [9] A.A. Bolotov, S.B. Gashkov, A.B. Frolov, A.A. Chasovskikh, Primer in elliptic cryptography. Background in algebra and algorithms, Moscow, 2006 (in Russian). [10] A.A. Bolotov, S.B. Gashkov, A.B. Frolov, Primer in elliptic cryptography. Using elliptic curves to construct cryptographic protocols, Moscow, 2006 (in Russian). [11] P.E. Dunne, The complexity of Boolean networks, Academic Press, 1988. [12] I. Wegener, The complexity of Boolean functions, Wiley, Stuttgart, 1987. [13] R. Lidl, H. Niederreiter, Finite fields, Addison-Wesley, 1983. [14] N.P. Red’kin, Minimal realization of a binary adder, Problemy Kibernetiki 38 (1981), 181–216 (in Russian). [15] V.M. Khrapchenko, Asymptotic estimation of addition time of a parallel adder, Problemy Kibernetiki 19 (1967), 107–122 (in Russian). English translation in Syst. Theory Res. 19 (1970), 105–122. [16] S.B. Gashkov, M.I. Grinchuk, I.S. Sergeev, On constructing small depth adders, Diskretnyi analiz i issledovanie operaciy, Ser. 1 14(1) (2007), 27–44 (in Russian). [17] D.J. Bernstein, Multidigit multiplication for mathematicians, http://cr.yp.to/ papers.html#m3, 2004. [18] G.K. Stolyarov, Parallel multiplication technique for computer hardware and design of a multiplier, Author certificate cl. 42, V. 14, n. 126668, 1960. [19] A. Avizienis, Signed-digit number representation for fast parallel arithmetic, IEEE Trans. Elect. Comput. 10 (1961), 389–400. [20] A.A. Karatsuba, Yu.P. Ofman, Multiplication of multidigit numbers on automata, DAN USSR 145(2) (1962), 293–294 (in Russian). Eng. transl. in Soviet Phys. Dokl. 7 (1963), 595–596. [21] C.S. Wallase, A suggestion for a fast multiplier, IEEE Trans. Elect. Comput. 13 (1964), 14–17. [22] M. Paterson, U. Zwick, Shallow circuits and concise formulae for multiple addition and multiplication, Comput. Complexity 3 (1993), 262–291. [23] I.S. Sergeev, On the depth of circuits for multiple addition and multiplication of integers, Proc. of VI scientific school on discrete mathematics and its applications (Moscow, IPM RAN, April 2007) II (2007), 40–45 (in Russian). [24] A.V. Chashkin, Fast multiplication and addition of integers, “Discrete mathematics and applications” MGU, 2001, 91–110 (in Russian). [25] A.L. Toom, The complexity of a scheme of functional elements realizing the multiplication of integers, DAN USSR 150(3) (1963), 496–498 (in Russian). Eng. transl. in Soviet Math. Dokl. 3 (1963), 714–716. [26] A. Schönhage, V. Strassen, Schnelle Multiplikation großer Zahlen, Computing 7 (1971), 271–282. [27] J. von zur Gathen, J. Gerhard, Modern computer algebra, Cambridge University Press, 1999. [28] M. Fürer, Faster integer multiplication, http://www.cse.psu.edu/~furer/Papers/ mult.pdf, 2007. [29] P. Naudin, C. Quitte, Algoritmique algebrique, Masson, Paris, Milan, Barselone, Bonn, 1992. [30] J.V. Vegner, Method of Pollard (manuscript). [31] S. Cook, On the minimum computation time of functions, Ph.D. Thesis, Harvard Univ., 1966. [32] J. Reif, S. Tate, Optimal size integer division circuits, SIAM J. Comput. 19(5) (1990), 912–925. [33] J. Hastad, T. Leighton, Division in O(log n) depth using O(n1+ǫ ) processors, http://www.nada.kth.se/~yohanh/paraldivision.ps, 1986. [34] P.D. Barreto, Implementing the Rivest, Shamir and Adleman public key encryption algorithm on a standard digital signal processor, Advances in Cryptology, Proc. of Crypto’86, LNCS 263 (1987), 311– 323. [35] S.B. Gashkov, V.N. Chubarikov, Arithmetic. Algorithms. Computation complexity, Moscow, MGU, 2005 (in Russian). [36] V. Strassen, Die Berechnungskomplexität von elementarsymmetrischen Funktionen und von Interpolationskoeffizienten, Numer. Math. 20 (1973), 238–251. [37] A. Schönhage, Schnelle Multiplikation von Polynomen über Körpern der Charakteristik 2, Acta Inf. 7. (1977), 395–398. [38] D. Cantor, E. Kaltofen, On fast multiplication of polynomials over arbitrary algebras, Acta Informatica 28 (1991), 693–701. [39] D.V. Chudnovsky, G.V. Chudnovsky, Algebraic complexities and algebraic curves over finite fields, J. Complexity 4 (1988), 285–316.
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
123
[40] I.E. Shparlinski, M.A. Tsfasman, S.G. Vladut, Curves with many points and multiplication in finite fields, LNM 1518 (1992), 145–169. [41] S. Ballet, R. Roland, Multiplication algorithm in a finite field and tensor rank of the multiplication, J. Algebra 272(1) (2004), 173–185. [42] D. Cantor, On arithmetic algorithms over finite fields, J. of combinatorial theory, Series A 50 (1989), 285–300. [43] J. von zur Gathen, J. Gerhard, Arithmetic and factorization of polynomials over GF(2), Proc. of ISSAC’96 (Zürich), 1996, 1–9. [44] E.D. Mastrovito, VLSI architectures for computation in Galois fields, Ph.D. Thesis, Linköping University, Dept. Electr. Eng., Sweden, 1991. [45] J. Guajardo, T. Güneysu, S. Kumar, C. Paar, J. Pelzl, Efficient hardware implementation of finite fields with application to cryptography, Acta Appl. Math. 93 (2006), 75–118. [46] S. Erdem, T. Yanik, C. Koc, Polynomial basis multiplication over GF(2n ), Acta Appl. Math. 93 (2006), 33–55. [47] O. Ahmadi, A. Menezes. Irreducible polynomials of maximum weight, preprint, 2005. [48] C. Paar, Effective VLSI architectures for bit paralel computation in Galois fields, Ph.D. Thesis, Universität GH Essen, Germany, 1994. [49] C. Paar, P. Fleischmann, P. Roelse, Effective multiplier architectures for Galois fields GF(24n ), IEEE Trans. Comp. 47(2) (1998), 162–170. [50] J.L. Massey, J.K. Omura, Apparatus for finite fields computation, US Patent 4587627, 1986. [51] A. Reyhani-Masoleh, M.A. Hasan, On effective normal basis multiplication, Proc. of Indocrypt’2000, LNCS 1977 (2000), 213–224. [52] J. von zur Gathen, M. Nöcker, Fast arithmetic with general Gauss periods, Theor. Comp. Science 315 (2004), 419–452. [53] I. Blake, R. Roth, G. Seroussi, Efficient arithmetic in GF(2n ) through palindromic representation, Hewlett-Packard, HPL-98-134, 1998. [54] A.A. Bolotov, S.B. Gashkov, Fast multiplication in normal bases of finite fields, Discretnaya matematika 13(3) (2001), 3–31 (in Russian). Eng. transl. in Discrete Mathematics and Applications 11(4) (2001), 327–356. [55] O.B. Lupanov, On rectifier and contact rectifier circuits, DAN USSR 111(6) (1956), 1171–1174 (in Russian). [56] I.S. Sergeev, On constructing circuits for transition between polynomial and normal bases in finite fields, Diskretnaya matematika 19(3) (2007), 89–101 (in Russian). Eng. transl. in Discrete Mathematics and Applications 17(4) (2007), 361–373. [57] E. Kaltofen, V. Shoup, Subquadratic-time factoring of polynomials over finite fields, Math. Comput. 67(223) (1998), 1179–1197. [58] R.C. Mullin, I.M. Onyszchuk, S.A. Vanstone, R.M. Wilson, Optimal normal bases in GF(pn ), Discrete Applied Mathematics, 22 (1988/89), 149–161. [59] D.W. Ash, I.F. Blake, S.A. Vanstone, Low complexity normal bases, Discrete Applied Mathematics 25 (1989), 191–210. [60] J.E. Seguin, Low complexity normal bases, Discrete Applied Mathematics 28 (1990), 309–312. [61] S. Feisel, J. von zur Gathen, M.A. Shokrollahi, Normal bases via general gauss periods, Math. Comp. 68(225) (1999), 271–290. [62] S. Gao, J. von zur Gathen, D. Panario, Gauss periods and fast exponentiation in finite fields, Proc. of Latin’95 (Valparaiso, Chile), LNCS 911 (1995), 311–322. [63] A. Schönhage, Schnelle Berechnung von Kettenbruchentwicklungen, Acta Inf. 1 (1971), 139–144. [64] V. Strassen, The computational complexity of continued fractions, SIAM J. Comput. 12 (1983), 1–27. [65] D. Stehlé, P. Zimmermann, A binary recursive GCD algorithm, Proc. of ANTS-VI (Burlington, USA, 2004), LNCS 3076 (2004), 411–425. [66] D. Knuth, The art of computer programming, third ed., Addison-Wesley, 1998. [67] A. Brauer, On addition chains, Bull. AMS 45 (1939), 736–739. [68] T. Itoh, S. Tsujii, A fast algorithm for computing multiplicative inverses in GF(2n ) using normal bases, Inform. and Comp. 78 (1988), 171–177. [69] J. von zur Gathen, M. Nöcker, Exponentiation in finite fields: theory and practice, Applied Algebra, Proc. of AAECC-12, LNCS 1255 (1997), 88–113. [70] R. Brent, H. Kung, Fast algorithms for manipulating formal power series, J. ACM 25(4) (1978), 581–
124
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
595. [71] N. Takagi, J. Yoshiki, K. Takagi, A fast algorithm for multiplicative inversion in GF(2n ) using normal basis, IEEE Trans. on Comp. 50(5) (2005), 394–398. [72] K. Chang, H. Kim, J. Kang, H. Cho, An extension of TYT algorithm for GF((2n )m ) using precomputation, Inform. Proc. Letters 92 (2004), 231–234. [73] S.B. Gashkov, I.S. Sergeev, An application of the method of addition chains to inversion in finite fields, Discretnaya matematika 18(4) (2006), 56–72 (in Russian). Eng. transl. in Discrete Mathematics and Applications 16(6) (2006), 601–618. [74] A.C. Yao, On the evaluation of powers, SIAM J. on Comput. 5 (1976), 100–103. [75] B.E. Litow, G.I. Davida, O(log n) time for finite field inversion, LNCS 319 (1988), 74–80. [76] J. von zur Gathen, Inversion in finite fields, J. Symbolic Comput. 9 (1990), 175–183. [77] I.S. Sergeev, Circuits of logarithmic depth for inversion in finite fields of characteristic two, Matematicheskie Voprosy kibernetiki 15 (2006), 35–64 (in Russian). [78] S.B. Gashkov, I.S. Sergeev, On constructing circuits of logarithmic depth for inversion in finite fields, Discretnaya matematika 20 (2008) (in Russian). Eng. transl. in Discrete Mathematics and Applications 18 (2008). [79] W. Eberly, Very fast parallel polynomial arithmetic, SIAM J. Comput. 18(5) (1989), 955–976. [80] V.B. Afanasyev, Complexity of VLSI implementation of finite field arithmetic, Proc. of II Intern. workshop on algebraic and combinatorial coding theory (Leningrad, USSR, Sep. 1990), 6–7. [81] C. Paar, P. Fleischmann, P. Soria-Rodriges, Fast arithmetic for public-key algorithms in Galois fields with composite exponents, IEEE Trans. Comp. 48(10) (1999), 1025–1034. [82] C. Paar, J.L. Fan, Efficient inversion in tower fields of characteristic two, ISIT, Ulm, Germany, 1997. [83] A.A. Burtzev, I.B. Gashkov, S.B. Gashkov, On the complexity of Boolean circuits for arithmetic in certain towers of finite fields, Vestnik MGU, Ser. 1. Mathem., Mechan. 5 (2006), 10–16 (in Russian). [84] M. Morii, M. Kasahara, Efficient construction of gate circuit for computing multiplicative inverses in GF(2n ), Trans. of IEICE 72(1) (1989), 37–42. [85] S.B. Gashkov, R.A. Khokhlov, On the depth of logical circuits for operations in fields GF(2n ), Chebyshevsky sbornik 4, no. 4(8) (2003), 59–71 (in Russian). [86] A.A. Burtzev, On circuits for multiplication and inversion in composite fields GF(2n ), Chebyshevsky sbornik 7 no. 1(17) (2006), 172–185 (in Russian). [87] D.V. Bailey, C. Paar, Efficient arithmetic in finite fields extensions with application in elliptic curve cryptography, Journal of cryptology 14 (2001), 153–176. [88] S. Baktir, B. Sunar, Optimal tower fields. IEEE Trans. Comp. 53(10) (2004), 1231–1243. [89] S. Baktir, J. Pelzl, T. Wollinger, B. Sunar, C. Paar, Optimal tower fields for hyperelliptic curve cryptosystems, Proc. of IEEE 38th ACSSC, (2004). [90] S. Baktir, B. Sunar, Achieving efficient polynomial multiplication in Fermat fields using fast Fourier transform, Proc. of ACMSE’06 (2006), ACM Press, 549–554. [91] A.A. Burtzev, S.B. Gashkov, On circuits for arithmetic in composite fields of large characteristic, Chebyshevskyi sbornik 7, no. 1(17) (2006), 186–204 (in Russian). [92] S. Baktir, B.Sunar, Frequency domain finite field arithmetic for elliptic curve cryptography, Proc. of ISCIS’2006, LNCS 4263 (2006), 991–1001. [93] S. Baktir, S. Kumar, C. Paar, B. Sunar, A state-of-the-art elliptic curve cryptographic processor operating in the frequency domain, Mobile Networks and Appl. 12(4) (2007), 259–270. [94] P.S.L.M. Barreto, H.Y. Kim, B. Lynn, M. Scott, Efficient algorithms for pairing-based cryptosystems, Proc. of Crypto’2002, LNCS 2442 (2002), 354–368. [95] R. Granger, D. Page, M. Stam, Hardware and software normal basis arithmetic for pairing based cryptography in characteristic three, IEEE Trans. on Comp. 54(7) (2005), 852–860. [96] D. Page, N.P. Smart, Hardware implementation of finite fields of characteristic three, Proc. of CHES’2003, 529–539. [97] G. Bertoni, J. Guajardo, S. Kumar, G. Orlando, C. Paar, T. Wolinger, Efficient GF(pm ) arithmetic architectures for cryptographic applications, LNCS 2612 (2003), 158–175. [98] T. Kerins, W.P. Marnane, E.M. Popovici, P.S.L.M. Barreto, Efficient hardware for Tate pairing calculation in characteristic three, Proc. of CHES’2005, LNCS 3659 (2005), 412. [99] I. Duursma, H.-S. Lee, Tate pairing implementation for tripartite key agreement, Cryptology ePrint Archive, Report 2003/053, http://eprint.iacr.org/. [100] I. Duursma, H.-S. Lee, Tate pairing implementation for hyperelliptic curves y 2 = xp − x + d, Proc.
S.B. Gashkov and I.S. Sergeev / Bit-Parallel Circuits for Arithmetic in Finite Fields
125
of Asiacrypt’2003, LNCS 2894 (2003), 111–123. [101] S. Kwon, Efficient Tate pairing computation for supersingular elliptic curves over binary fields, Cryptology ePrint Archive, Report 2004/303, http://eprint.iacr.org/. [102] P.S.M.L. Barreto, S. Galbraith, C. O’Eigeartaigh, M. Scott, Efficient pairing computation on supersingular Abelian varieties, Cryptology ePrint Archive, Report 2004/375, http://eprint.iacr.org/. [103] E. Lee, H.-S. Lee, Y. Lee, Fast computation of Tate pairing on general divisors for hyperelliptic curves of genus 3, Cryptology ePrint Archive, Report 2006/125, http://eprint.iacr.org/. [104] A.A. Burtzev, On Boolean circuits for multiplication in finite fields of odd characteristics, Proc. of VI scientific school on discrete mathematics and its applications (Moscow, IPM RAN, April 2007) I (2007), 13–16 (in Russian). [105] C. Umans, Fast polynomial factorization, modular composition, and multipoint evaluation of multivariate polynomials in small characteristic, http://www.cs.caltech.edu/~umans/papers/ U07.pdf, 2007. [106] J. von zur Gathen, M.A. Shokrollahy, J. Shokrollahy, Efficient multiplication using type 2 optimal normal bases, LNCS 4547 (2007), 55–68.
126
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-126
On a Family of Perfect Nonlinear Binomials Tor HELLESETH a , Gohar KYUREGHYAN b , Geir Jarle NESS a , and Alexander POTT b,1 a University of Bergen, Bergen, Norway b Otto-von-Guericke-University, Magdeburg, Germany Abstract. A mapping f : GF(pn ) → GF(pn ) is called differentially k-uniform if k is the maximum number of solutions x ∈ GF(pn ) of f (x + a) − f (x) = b, where a, b ∈ GF(pn ) and a = 0. A 1-uniform mapping is called perfect nonlinear (PN). In this paper we discuss some problems related to the equivalence of perfect k nonlinear functions, and describe a class of perfect nonlinear binomials uxp +1 + 2 2k x in GF(p ). These are the first PN binomials known to us which are composed with inequivalent monomials. We show that this family of binomials is equivalent to the monomial x2 . We survey some of the close connections between perfect nonlinear functions and finite affine planes, in particular those which are important for equivalence proofs. Keywords. Perfect nonlinearity, semifield, equivalence of functions, planar function
Introduction Let f (x) be a mapping f : GF(pn ) → GF(pn ), where p is a prime and GF(pn ) is the finite field with pn elements. Denote by N (a, b) the number of solutions x ∈ GF(pn ) of f (x + a) − f (x) = b where a, b ∈ GF(pn ). Set Δf = max{N (a, b) | a, b ∈ GF(pn ), a = 0}. The value Δf is called the differential uniformity of the mapping f . A mapping is said to be differentially k-uniform if Δf = k. For applications in cryptography one would like to find functions where Δf is small to resist the differential cryptanalysis. When p = 2, the solutions of f (x + a) − f (x) = b come in pairs x, x + a, and therefore Δf = 2 is the smallest possible value. If Δf = 2, the function f is called almost perfect nonlinear (APN). For an odd prime p, there exist mappings with Δf = 1. Such mappings are called perfect nonlinear (PN). In geometry, they are known as planar functions. 1 Addresses of the authors: Tor Helleseth and Geir Jarle Ness, The Selmer Center, Department of Informatics, University of Bergen, N-5020 Bergen, Norway; Gohar Kyureghyan and Alexander Pott, Department of Mathematics, Otto-von-Guericke-University Magdeburg, D-39016 Magdeburg, Germany.
T. Helleseth et al. / On a Family of Perfect Nonlinear Binomials
127
Both APN and PN functions have been studied for many years. Recently, there is rekindled interest: In the APN case, new functions have been constructed. Moreover, the importance of the concept of the equivalence of functions introduced in [1] became clear in [2]. In [3] a new family of PN functions has been constructed. These PN functions yielded new skew-symmetric Hadamard difference sets, existence of which was an open problem for many years. In [4,5] PN functions are used to obtain optimal constantcomposition codes and signal sets. In this paper we consider PN functions. In Section 1, we summarize several issues on the equivalence of PN functions. Few functions, up to equivalence, with small Δf are known. The monomial mappings f (x) = xd are the most studied such mappings. In [6], Helleseth and Sandberg performed a computer-search and characterized most of the monomial APN mappings known today. In [7] it was shown that the APN binomial x3 +ux36 (where u is a suitable element of GF(210 )) cannot be obtained from monomial functions with known equivalence transformations. This was the first example of such an APN function. The second similar binomial over GF(212 ) found in [7] is shown to be a member of an infinite class, see [8]. In this paper we consider PN binomials of the form: f (x) = uxd1 + xd2 ,
u a constant in GF(pn )∗ .
More precisely, given an odd prime p and n = 2k, we study the mapping given by d1 = pk + 1,
d2 = 2.
In Section 2, we characterize the coefficients u for which these functions are PN. These are the only PN binomials known to us which are the sum of two inequivalent monomials. In Section 3) we show that these binomials are affine equivalent to the function x2 .
1. Preliminaries In this section we present some general results that will be needed in the following. We will also survey known results about the connection between PN functions and projective planes. For background from finite fields, we refer to [9], for instance. Throughout this paper, we consider functions f : GF(pn ) → GF(pn ) with p an odd prime. Any such function can be described by a polynomial of degree at most pn − 1. Formally, we must distinguish between polynomials and the associated polynomial n functions. But if we reduce all polynomials modulo xp − x (i.e., the degree is at most pn − 1), such a distinction is not needed. As already mentioned in the introduction, a function f is called perfect nonlinear or planar if the difference functions f (x+a)−f (x) are permutations for all a ∈ GF(pn ), a = 0. An easy example of such a function is f (x) = x2 . In Table 1, we list all monomial planar functions which are known so far. Later on, we refer to the second example as the Coulter–Matthews PN. It has been independently found also by Helleseth and Sandberg. There are two more cases which are not power mappings (see Table 2). Observe that all currently known PN functions, except of the Coulter–Matthews example, are of a very special nature: They have the form
128
T. Helleseth et al. / On a Family of Perfect Nonlinear Binomials
Table 1. Known PN power mappings in GF(pn ) function
conditions
x2 k
x(p
+1)/2
k xp +1
proved in
none
folklore
p = 3, gcd(n, k) = 1, k is odd
[10,6]
n/ gcd(n, k) is odd
[11,10,12]
Table 2. Known nonpower mappings in GF(pn ) function
conditions
x10 − x6 − x2
p = 3, n odd
[3]
p = 3, n odd
[10]
x10 + x6 − x2 n−1
i,j=0
ai,j xp
i
+pj
,
proved in
ai,j ∈ GF(pn ).
Functions of this type are called Dembowski–Ostrom polynomials. The exponents occurring in Dembowski–Ostrom polynomials have p-weight 2. The p-weight of a nonb i pi , negative integer m is the sum of digits bi in the p-adic representation m = 0 ≤ bi < p, of m. At this point we want to mention a similarity of PN functions with a subfamily of APN functions, so called “crooked” functions, for p = 2. Given a PN function f : GF(pn ) → GF(pn ) and a nonzero element a ∈ GF(pn ), the set S(a) := {f (x + a) − f (x) | x ∈ GF(pn )} = GF(pn ) is a (trivial) subspace of GF(pn ) of the largest possible dimension. In the case p = 2 the largest possible dimension for a set S(a) is n − 1. The functions for which S(a) for any a ∈ GF(2n )∗ is an (n − 1)dimensional (affine) subspace of GF(2n ) are called crooked. The classification of the crooked polynomials is an open problem. In [13,14] it is shown that the only monomial and binomial crooked functions are given by Dembowski–Ostrom polynomials. Given two functions, the following question arises naturally: Are these functions really “different”? In order to distinguish functions, we introduce the concept of affine equivalence. Recall a polynomial L : GF(pn ) → GF(pn ) is called linearized polynon−1 i mial if it has the form L(x) = i=0 ai xp , ai ∈ GF(pn ). The linearized polynomials describe GF(p)-linear mappings of GF(pn ). The sum of a constant a ∈ GF(pn ) and a linearized polynomial is called an affine polynomial. A polynomial over GF(pn ) which defines a permutation of GF(pn ) is called a permutation polynomial in GF(pn ). We say that two functions f, g : GF(pn ) → GF(pn ) are affine equivalent if there are two linearized permutation polynomials L and M and an affine polynomial G such that g = L ◦ h ◦ M + G. This defines an equivalence relation. It is easy to see that the maximum p-weight of the exponents of a non-linearized polynomial f = i ai xi , i.e., the maximum p-weight of the i′ s with ai = 0, is an invariant under affine equivalence. This shows immediately that all the Coulter–Matthews monomials are affine inequivalent, and they are never affine equivalent to a Dembowski– Ostrom polynomial for k = 1. Indeed,
T. Helleseth et al. / On a Family of Perfect Nonlinear Binomials
129
Table 3. Affine equivalence of the PN Dembowski–Ostrom polynomials in GF(pn ) listed in Tables 1 and 2 equivalent functions
conditions
proved in
x10 ± x6 − x2
x2
p = 3, n = 1, 2
[15]
x2
p = 3, n = 3
[15]
x10 + x6 − x2
x4
p = 3, n = 3
[15]
n/ gcd(k, n) odd
folklore
x10 − x6 − x2 xp
k
+1
xp
n−k
+1
pk − 1 p − 1 k−1 pk + 1 = +1= (p + . . . + 1) + 1, 2 2 2 implying that the p-weight k(p − 1)/2 + 1 of the exponent in the Coulter–Matthews monomial is different from 2 if k = 1. In general, it is not at all easy to decide whether two given functions f and g with equal maximum p-weight of their exponents are affine equivalent. For instance, [15] contains a nontrivial proof that the two Dembowski–Ostrom polynomials x10 − x6 − x2 and x10 + x6 − x2 are affine inequivalent in GF(3n ) if n > 3. Table 3 gives a complete list of affine equivalences of the known Dembowski–Ostrom polynomials listed above. An easy argument shows that the monomial Dembowski–Ostrom polynomials e xp +1 , 0 ≤ e ≤ n/2, are pairwise affine inequivalent. Instead of proving that there are no linearized permutations L and M with e
xp
+1
= L ◦ xp
f
+1
◦M
(we may ignore the affine polynomial G since there are no affine term on the left hand side, and the composition with linearized polynomials L and M on the right side produces no linearized term), we show that there are no linearized permutations L and M with f e (1) [M (x)]p +1 = L xp +1 . On the right hand side of (1), the only terms xt which occur have exponents t = pf +j + n−1 i pj . What happens on the left hand side? Let M (x) = i=0 bi xp . Not all the bi ’s can be 0, hence let us assume bs = 0 for some s. Note [M (x)]
pe +1
=
n−1
e e+i bpi xp
i=0
s
n−1
pi
bi x
i=0
e
s
.
(2)
The coefficient of xp +p in (2) is bps−e · bs , where we compute the subscripts modulo n. Since this coefficient has to be 0, we obtain bs−e = 0. Now let us look at the coefficient e+s s of xp +p . If e = f, n − f , this coefficient must be 0. If we compute it, we get e
e
bps bs + bps−e be+s = 0, which is impossible since bs = 0 by assumption. e n−e Note that xp +1 and xp +1 are trivially affine equivalent:
130
T. Helleseth et al. / On a Family of Perfect Nonlinear Binomials
xp
e
+1
!pn−e
n
= xp
+pn−e
= x1+p
n−e
.
The above technique of proving the inequivalence becomes too complicated for polynomials consisting of many terms. So “easy” invariants under affine equivalence are needed. Such invariants may come from the connection between planar functions and certain objects in geometry. We refer to [16] for background on projective and affine planes. A finite affine plane of order m is an incidence structure consisting of m2 points and 2 m + m lines with the following properties: Given two different points, there is precisely one line through these two points. Moreover, each line is incident with exactly m points. Recall that any affine plane can be uniquely extended to a projective plane. From now on, we will assume without loss of generality f (0) = 0. We may easily construct affine planes from planar functions f : GF(pn ) → GF(pn ). The points are the elements in GF(pn )2 , the lines are the sets Df + (a, b) := {(x + a, f (x) + b) | x ∈ GF(pn )}
(3)
= {(x, f (x − a) + b) | x ∈ GF(pn )}
and the sets {(a, x) | x ∈ GF(pn )},
a ∈ GF(pn ).
(4)
We call this affine plane I(f ). The fact that f is a planar function shows immediately that two points (x1 , y1 ) and (x2 , y2 ) are joined by exactly one line if x1 = x2 : We need to find a and b such that y1 = f (x1 − a) + b and y2 = f (x2 − a) + b. This means y1 − y2 = f (x1 − a) − f (x1 − a + (x2 − x1 )), which gives precisely one solution for x1 − a, and hence for a. Points with x1 = x2 = a are joined by the line {(a, x) | x ∈ GF(pn )}. There is another way to define a plane using the fact that a planar function defines a commutative semifield. A finite presemifield is a finite set S with two binary operations + and ∗ satisfying the following axioms: (S1) (S, +) is an Abelian group with identity 0. (S2) a ∗ (b + c) = a ∗ b + a ∗ c and (a + b) ∗ c = a ∗ c + b ∗ c for all a, b, c ∈ S. (S3) If a ∗ b = 0, then a or b is 0. If, in addition to this, we also have (S4) There exists an element 1 = 0 such that 1 ∗ a = a = a ∗ 1 for all a ∈ S, then the presemifield is called a semifield. (Pre)semifields are commutative if a ∗ b = b ∗ a for all a, b ∈ S. Any (commutative) presemifield can easily be transformed into a (commutative) semifield. This is not unique, see [15], for instance. A semifield S defines an affine plane of order m = |S| as follows: The point set is S × S, the m2 + m lines are the sets
T. Helleseth et al. / On a Family of Perfect Nonlinear Binomials
{(x, a ∗ x + b) | x ∈ S},
a, b ∈ S
131
(5)
and {(a, x) | x ∈ S},
a ∈ S.
(6)
If we start with a presemifield, then all the semifields that we may construct from it yield isomorphic planes: We call two planes isomorphic if there is a bijection between their point sets which is incidence preserving. If f is a planar Dembowski–Ostrom polynomial on GF(pn ), n odd, then the multiplication ∗ defined by x∗y =
1 (f (x + y) − f (x) − f (y)) 2
(7)
together with the usual addition + on GF(pn ) turns GF(pn ) into a commutative presemifield. We call the plane corresponding to this presemifield Π(f ). It can be shown that the planes Π(f ) and I(f ) are actually isomorphic. In our case, an isomorphism is defined by the mapping (x, y) → (x, f (x) + y), see [15]. Conversely, let (S, +, ∗) be a commutative presemifield. Then it is well known and easy to see that (S, +) is elementary Abelian. Therefore, we may also interprete S as a finite field GF(pn ), i.e., we define a multiplication ∗′ on the set S such that (S, +, ∗′ ) “is” GF(pn ). Then the mapping f : S → S, x → x ∗ x defines a PN mapping on S. Indeed, it holds (x + a) ∗ (x + a) − x ∗ x − a ∗ a = 2(a ∗ x), which is a bijection on S for every a = 0. Moreover, the mapping f considered on S with a finite field structure has a polynomial representation given by a sum of a planar Dembowski–Ostrom polynomial and a linearized polynomial. This can be obtained from the observation that the mapping f (x + a) − f (x) − f (a) is linear. Indeed, x + y → 2(a ∗ (x + y)) = 2(a ∗ x) + 2(a ∗ y). In [15] it is shown that the only mappings g : GF(pn ) → GF(pn ) with linear g(x + a) − g(x) − g(a) are given by a sum of a planar Dembowski–Ostrom polynomial and a linearized polynomial. We emphasize that this connection between PN functions and semifields holds only if the PN function is Dembowski–Ostrom. In the case of Dembowski–Ostrom polynomials, the sets {(x, f (x + a) − f (x) − f (a)) | x ∈ GF(pn )} ⊆ GF(pn ) × GF(pn )
(8)
are subspaces of GF(p)2n , which is not the case for the Coulter–Matthews function. It is proven in [10] that a function has to be of Dembowski–Ostrom type if the sets in (8) are linear subspaces. This connection between planes and PN functions raises another question about the equivalence of PN functions: Is it possible that functions which are not affine equivalent
132
T. Helleseth et al. / On a Family of Perfect Nonlinear Binomials
Table 4. Known commutative semifields of order pn , p prime planar function finite field
x2
Albert’s commutative twisted fields
xp
order pn
e
+1
pn , n/ gcd(e, n) odd, e ≤ (n − 1)/2 p2r
Dickson semifields Coulter–Matthews semifields
x10 + x6 − x2 x10 − x6 − x2
Ding–Yuan semifields Ganley semifields
3n ,n odd 3n , n odd 32r , r odd
Cohen–Ganley semifields
32r
Coulter–Henderson–Kosick semifield
38
Penttila–Williams semifield
310
generate isomorphic planes? It is quite obvious that affine equivalence of the functions imply isomorphism of the planes. For the converse, we quote the following result from [15]: Theorem 1. Any two planar Dembowski–Ostrom polynomials f and g in GF(pn ) with n odd are affine equivalent if and only if the planes corresponding to f and g are isomorphic. In the case n even, isomorphism of the planes implies equivalence of the planar Dembowski–Ostrom polynomials only under an additional technical assumption on the corresponding semifield. There are no similar results about the connection between equivalence of planar functions and isomorphism of the corresponding planes if the functions are not of Dembowski–Ostrom type. Table 4 lists the known classes of commutative semifields, see [17,15,18]. In [19] a list of planar Dembowski–Ostrom polynomials which correspond to Dickson, Cohen–Ganley, Ganley and Penttila–Williams semifields is given. These polynomials do not have a “nice” description which is independent of n and which has coefficients in GF(p).
2. A New Family of PN Binomials over GF(p2k ) In this section we describe a new family of PN binomials over GF(p2k ). Define two subsets of GF(p2k ) by
and
k G = g ∈ GF(p2k ) g p +1 = 1 , k Γ = γ GF(p2k ) γ p −1 = −1 k k H = g(1 − γ) g p +1 = 1, γ p −1 = −1 = G(1 − Γ).
We note G(1 − Γ) = G(Γ − 1) since −G = G.
(9)
(10)
133
T. Helleseth et al. / On a Family of Perfect Nonlinear Binomials
Theorem 2. Let p be an odd prime, n = 2k and let f : GF(pn ) → GF(pn ) be given by k f (x) = uxp +1 + x2 . Then f (x) is PN if and only if u ∈ / H ∪ G. k
Proof. Let f (x) = uxp +1 +x2 . We need to prove that the maximum number of solutions of f (x + a) − f (x) = b is at most one for any a, b in GF(pn ), a = 0. Hence, we need to consider k
f (x + a) − f (x) = u(x + a)p
+1
k
+ (x + a)2 − uxp
k
= uaxp + uap x + 2ax + uap
k
k
+1
+1
− x2
+ a2 .
The equation f (x+a)−f (x) = b is an affine equation. If it has a solution it has the same number of solutions as its linearized part. For the function f (x) to be PN it is necessary and sufficient that k
k
uaxp + (uap + 2a)x = 0 has x = 0 as its only solution for any nonzero a ∈ GF(pn ). Suppose f (x) is not PN. Then there is a nonzero solution given by
xp
k
−1
=
k − uap + 2a ua
(11)
,
which leads to
which expands to up
k
+1 p2k +pk
a
pk +1 k k uap + 2a = (ua)p +1 , k
2k
+ 2up ap
+1
k
+ 2ua2p + 22 ap
k
+1
= up
k
+1 pk +1
a
,
therefore 2ap 2k
Note here that ap
k
+1
k
2k
u p ap
−pk
+ uap
k
−1
! + 2 = 0.
= a and 2p = 2. This condition is equivalent to pk k k uap −1 + 1 + uap −1 + 1 = 0.
If uap
k
−1
we obtain
+ 1 = 0, then u ∈ −G = G. In the case
uap
k
−1
pk −1 = −1, +1
(12)
134
T. Helleseth et al. / On a Family of Perfect Nonlinear Binomials
uap
k
−1
∈ −1 + Γ
and thus u ∈ H = G(1 − Γ). Thus we conclude that f (x) is PN for any u ∈ / H ∪ G. Suppose u ∈ H ∪ G, we will show that f (x) is not PN. In the case u ∈ G we have k uap −1 = −1 for some nonzero element a in GF(pn ). Then (11) shows xp
k
−1
=
k − uap + 2a
=
ua
k −(−a + 2a) −1 = = ap −1 . ua u
Therefore the linearized part of the equation f (x + a) − f (x) = b has pk solutions for this value of a and some b. It therefore follows that f (x) is not PN in this case. k In the remaining case u ∈ H = G(−1+Γ) we can write uap −1 = −1+γ, for some k pk p −1 k k k = −1 and therefore uap −1 + 1 +uap −1 +1 = 0. γ in Γ. Then uap −1 + 1
It follows from (12) that the linearized part of f (x + a) − f (x) = b has pk solutions for this value of a and any b. The solutions are x = 0 and the zeros of
xp
k
−1
=
k − uap + 2a ua
.
It therefore follows that f (x) is not PN in this case. We are now going to determine the number of u’s such that uxp
k
+1
+ x2 is PN.
Lemma 1. Let n = 2k and k k H = g(1 − γ) g p +1 = 1, γ p −1 = −1 . Then |H| = (pn − 1)/2.
Proof. Suppose g1 (1 − γ1 ) = g2 (1 − γ2 ), where g1 , g2 ∈ G and γ1 , γ2 ∈ Γ. Then we obtain
g1 g2
pk +1
=
γ2 − 1 γ1 − 1
pk +1
=
γ2p
k
γ1p
k +1
+1
k
− γ2p − γ2 + 1 k
− γ1p − γ1 + 1
=
−γ22 + 1 . −γ12 + 1
Hence, it follows that γ1 = ±γ2 . Case 1: γ1 = γ2 . In this case we have since g1 (1 − γ1 ) = g2 (1 − γ2 ) that g1 = g2 . Case 2: γ1 = −γ2 . In this case we obtain g1 = g2
1 − γ2 1 + γ1 = g2 . 1 − γ1 1 − γ1
135
T. Helleseth et al. / On a Family of Perfect Nonlinear Binomials k
Then since γip = −γi for i = 1, 2 we obtain k g1p +1
=
1 + γ1 g2 1 − γ1
g2p
=
k
pk +1
=
g2p
k
+1
k
(1 + γ1 + γ1p + γ1p pk
k
+1
)
pk+1
1 − γ1 − γ1 + γ1
+1
k (1 − γ12 ) = g2p +1 = 1. 1 − γ12
Hence, gi ∈ G and it follows that |H| = (p2k − 1)/2, since the elements g(1 − γ) in H are equal in pairs. Corollary 1. There are precisely 2k
p
−
p2k − 1 (pk − 1)2 p2k − 1 k +p +1 = − pk = −1 2 2 2 k
different u such that uxp
+1
+ x2 is PN on GF(p2k ).
3. Affine Equivalence In this section, we are going to show that our binomials are actually equivalent to x2 . We will need that certain quadratic equations over GF(p2k ) have always a solution. Lemma 2. (a) Given u ∈ GF(p2k ), u = 0, there exists an element z ∈ GF(p2k ) such that k
up z 2 − 2z + u = 0.
(13)
(b) Eq. (13) has only one solution if and only if u ∈ G. (c) Let z1 , z2 be the solutions of (13). Then either both of z1 , z2 are (pk − 1)/2powers in GF(p2k ) or none of them. Proof. (a) We consider the equation k
k
k
uz 2p − 2z p + up = 0, k
which is equivalent to (13). Taking z p = y and multiplying by u−1 , it can be rewritten as k
y 2 − 2u−1 y + up
−1
k
= (y − u−1 )2 + up
−1
− (u−1 )2 = 0.
(14)
The last equation has a solution, since u−2 − up
k
−1
k
= up
−1
k u−1−p − 1
is a square of some element in GF(p2k ). Indeed, up even. Further, note that
k
−1
is a square since its exponent is
136
T. Helleseth et al. / On a Family of Perfect Nonlinear Binomials
pk k k u−1−p − 1 = u−1−p − 1,
k
implying that u−1−p − 1 is an element of the subfield GF(pk ). The multiplicative group of that subfield is the set of (pk + 1)-th powers, hence all its elements are squares. (b) It is enough to note that k k k u−2 − up −1 = up −1 u−1−p − 1 = 0 if and only if u ∈ G. (c) It is enough to prove the statement for the roots y1 and y2 of Eq. (14). Let α be a k primitive element of GF(p2k ). We have y1 · y2 = up −1 , hence . - k . - k y1 · y2 ∈ αp −1 ≤ α(p −1)/2 ,
which is the subgroup of order 2(pk + 1) in GF(pk ). The product of two elements is in this subgroup only if both elements are in the subgroup, or none of the two elements is contained in it. k
Using the above lemma, we show that the mapping f (x) = uxp +1 + x2 defined in GF(p2k ) can be obtained from h(x) = x2 by a composition with linear mappings L and M . Note that this is not the affine equivalence defined in Section 1, since we do not require here that M and L are bijective. k
Theorem 3. Let u ∈ GF(p2k )∗ , f (x) = uxp b ∈ GF(p2k ), such that
+1
+ x2 and h(x) = x2 . Then there is (15)
M ◦ f = h ◦ L, k
k
where M (x) = x + b2 xp and L(x) = x + bxp . Proof. Let b be an element of GF(p2k ) satisfying k
up b2 − 2b + u = 0.
(16)
The existence of such a b is guaranteed by Lemma 2. Then M ◦ f (x) = uxp
k
+1
+ x2 + b2 (uxp
= uxp
k
+1
+ x2 + b2 up xp
k
k
k
+1 2k
+ x2 )p
+pk
k
= x2 + b2 x2p + (u + b2 up )xp
k
k
+ b2 x2p k
+1
.
Further, we have k 2 k k h ◦ L(x) = x + bxp = x2 + b2 x2p + 2bxp +1 ,
and the statement is proved.
137
T. Helleseth et al. / On a Family of Perfect Nonlinear Binomials
Our next goal is to see that if an element u defines a perfect nonlinear f (x), then the k k corresponding linear mappings M (x) = x + b2 xp and L(x) = x + bxp are bijective. We will use the following observations. Lemma 3. Let α be a primitive element of GF(p2k ), and let b ∈ GF(p2k )∗ . k
2 p / (a) The - klinear .mapping M (x) = x + b x is bijective if and only if b ∈ (p −1)/2 . In particular, if M (x) is bijective, there is a unique u ∈ GF(p2k ) α . - k k / α(p −1)/2 . satisfying up b2 − 2b + u = 0 on GF(p2k ) if and only if b ∈ - k . k (b) The linear mapping L(x) = x + bxp is bijective if and only if b ∈ / αp −1 . (c) If L and M in (15) are bijective, then f is perfect nonlinear. . - k Proof. (a) Indeed, if b ∈ / α(p −1)/2 then x = 0 is the unique zero of M (x). (b) Similar. (c) Obvious, since h is perfect nonlinear. . - k The number of b ∈ GF(p2k )∗ such that b ∈ / α(p −1)/2 is
p2k − 1 −
2(p2k − 1) = (pk − 1)2 − 4. pk − 1
The next theorem proves that all perfect nonlinear function f (x) = uxp affinely equivalent to x2 .
k
+1
+ x2 are
Theorem 4. Let p be an odd prime, and let H and G be defined as in (10) and (9). If k u∈ / H ∪ G, then the function f (x) = uxp +1 + x2 is affinely equivalent to h(x) = x2 . . - k Proof. Let b ∈ / α(p −1)/2 . Then by Lemma 3 (a) and (b), the linear mappings M (x) = k
k
x + b2 xp and L(x) = x + bxp are bijective on GF(p2k ). Further by Lemma 3(a) there is a unique u satisfying (16), and- this u ∈ / H . ∪ G by Lemma 3(c) and Theorem 2. On k the other side, let u = 0 and b ∈ / α(p −1)/2 such that (16) holds. Then by Lemma 2(c) . - k there exists another b′ ∈ / α(p −1)/2 satisfying (16). The number of such pairs (b, b′ ) is (pk − 1)2 −2 2
and by Corollary 1 it is also the number of different perfect nonlinear functions f = k uxp +1 + x2 with u = 0. 4. Conclusions In this paper we characterize all u ∈ GF(p2k ) such that the function given by x2 + k uxp +1 is PN. Further we showed that these mappings are affine equivalent to x2 . This
138
T. Helleseth et al. / On a Family of Perfect Nonlinear Binomials
provided the first example of a PN binomial, which is a sum of inequivalent monomials and is equivalent to one of its composing monomial. We have been informed [20] that x90 + x2 is a PN function in GF(35 ) which is inequivalent to the known PN functions on GF(35 ). This example seems not to be a member of an infinite family of PN binomials. More examples of PN functions on GF(35 ) have been found in [20].
References [1] C. Carlet, P. Charpin, and V. Zinoviev, Codes, bent functions and permutations suitable for DES-like cryptosystems, Des., Codes, Cryptogr. 15 (1998), 125–156. [2] L. Budaghyan, C. Carlet, and A. Pott, New classes of almost bent and almost perfect nonlinear polynomials, IEEE Trans. Inform. Theory 52 (2006), 1141–1152. [3] C. Ding and J. Yuan, A family of skew Paley–Hadamard difference sets, J. Comb. Theory, Ser. A 113 (2006), 1526–1535. [4] C. Ding and J. Yuan, A family of optimal constant-composition codes, IEEE Trans. Inform. Theory 51 (2005), 3668–3671. [5] C. Ding and J. Yin, Signal sets from functions with optimum nonlinearity, IEEE Trans. Communications 55 (2007), 936–940. [6] T. Helleseth and D. Sandberg, Some power mappings with low differential uniformity, Applicable Algebra in Engineering, Communications and Computing 8 (1997), 363–370. [7] Y. Edel, G. Kyureghyan, and A. Pott, A new APN function which is not equivalent to a power mapping, IEEE Trans. Inform. Theory 52 (2006), 744–747. [8] L. Budaghyan, C. Carlet, P. Felke, and G. Leander, An infinite class of quadratic APN functions which are not equivalent to power mappings, Cryptology ePrint Archive, Report 2005/359, http://eprint.iacr.org/. [9] R. Lidl and H. Niederreiter, Finite Fields, vol. 20 of Encyclopedia of Mathematics and its Applications, Cambridge University Press, 2nd ed., 1997. [10] R.S. Coulter and R.W. Matthews, Planar functions and planes of Lenz–Barlotti class II, Des., Codes, Cryptogr. 10 (1997), 167–184. [11] P. Dembowski and T. Ostrom, Planes of order n with collineation groups of order n2 , Math. Z. 103 (1968), 239–258. [12] T. Helleseth, C. Rong, and D. Sandberg, New families of almost perfect nonlinear power mappings, IEEE Trans. on Inform. Theory 45 (1999), 475–485. [13] G. Kyureghyan, Crooked maps in F2n , Finite Fields Appl. 13(3) (2007), 713–726. [14] J. Bierbrauer and G.M. Kyureghyan, Crooked binomials, Des., Codes, Cryptogr., in press. [15] R.S. Coulter and M. Henderson, Commutative presemifields and semifields, Anvances in Math. 217 (2008), 282–304. [16] D.R. Hughes and F.C. Piper, Projective planes, Springer-Verlag, New York, 1973. (Graduate Texts in Mathematics, vol. 6.) [17] W.M. Kantor, Commutative semifields and symplectic spreads, J. Algebra 270 (2003), 96–114. [18] R.S. Coulter, M. Henderson, and P. Kosick, Planar polynomials for commutative semifields with specified nuclei, Des., Codes, Cryptogr. 44 (2007), 275–286. [19] N. Nakagawa, On functions of finite fields, http://www.math.is.tohoku.ac.jp/~taya/ sendaiNC/2006/report/nakagawa.pdf. [20] G. Weng, Private communication, 2007.
139
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-139
Classification of Boolean Quartic Forms in Eight Variables Philippe LANGEVIN and Gregor LEANDER Abstract. We present the strategy that we recently used to compute the complete classification of Boolean quartic forms in eight variables. Furthermore, we outline some applications of this result.
Introduction Let m be a positive integer. By a Boolean function we understand a mapping f from Fm 2 in F2 . The Boolean functions form a F2 -space of dimension 2m . The system of monomial / functions XS : x → i∈S xi where S ranges the subsets of {1, 2, . . . , m} is the standard basis of this space. The decomposition of f in the standard basis f=
aS X S ,
S⊂{1,2,...,m}
as ∈ F2
if often called the algebraic normal form of f . The set of Boolean functions of degree less k or equal to k forms a subspace of dimension i=0 mi . From the coding theory point of view [1], it corresponds to the Reed–Muller code of order k of length 2m , and we use the notation RM(k, m). The Reed–Muller code are nested, an element of the quotient space RM∗ (k, m) = RM(k, m)/ RM(k − 1, m). is called a Boolean form of degree k. From the algebraic point of view, the space m RM∗ (k, m) is nothing but the r-th alternate product of Fm 2 , its dimension over F2 is k . A Boolean form ω of degree k has one and only one homogeneous representative.
#S=k
aS XS ∈ ω.
In this paper, the symbol ω will be interpreted in two ways: as a form or as a function. In the later case, it will be the homogeneous representative of ω. The general linear group acts naturally over the set of Boolean functions in leaving the spaces RM(k, m) invariant. In particular, it acts on RM∗ (k, m). Given a ω ∈ RM∗ (k, m), the action of A ∈ GL(2, m) on ω, denoted by ω A , is the reduction modulo RM(k − 1, m) of the k
function ω ◦ A. Conversely, we say that ω ′ is equivalent to ω (ω ′ ∼ ω), if there exists
140
P. Langevin and G. Leander / Classification of Boolean Quartic Forms in Eight Variables
A ∈ GL(2, m) such that ω ′ = ω A . The determination of a system of represensatives cl(k, m) is an important step for the study of parameters of RM(k, m). In this paper, we describe (Sections 2, 3, 4) the strategy that we used to compute a complete classification of RM∗ (4, 8) under the action of GL(2, 8) finalizing the work presented in [2], continuing the works [3,4,5,6,7,8]. The method is discussed in general in Section 1, some interesting numerical results are outlined in the last section.
1. Classification: Terminology and Algorithm In this section, we consider a finite group G acting over a finite set X. The action of A ∈ G on x ∈ X is denoted by xA . Two elements x and y are said equivalent (x ∼ y) if there exists A ∈ G such that y = xA . The class or orbit of x is the set orb(x) = {y ∈ X | y ∼ x}. The number of orbits is often call the rank of the action of G over X. It is given by the Burnside’s Lemma n(X, G) =
1 F (A, X), #G A∈G
F (A, X) = #{x ∈ X | xA = x}.
The subgroup fix(x) = {A ∈ G | xA = x} is called the fixator of x. By a complete classification of X under G, we understand the determination of the class number n(X, G), a set of representatives, the size of the orbits and a system of generators for all the fixators. • A preclassification consists in pair (P, π) where P ⊂ X and π maps P into P(X) such that {π(p) | p ∈ P } is a partition of X compatible with the action of G that is ∀ p ∈ P ∀ x, y ∈ π(p) x ∼ y. • An invariant is a mapping j from X into a set of values V such that ∀ x, y ∈ X x ∼ y =⇒ j(x) = j(y). If there exists x ≁ y such that j(x) = j(y) = v ∈ V , we say that v is a collision value, of order k when j−1 (v) is the union of k equivalent classes. • A K-sampler is a mapping red from X into X such that ∀ x ∈ X red(x) ∈ orb(x) and # red(orb(x)) ≤ K 2 . The algorithm in Figure 1 is based on the birthday paradox to determine the classification of X assuming the number of equivalent classes is known. The success of the method depends on several parameters: the size of the preclassification, the number of collision values and on the capacity of the routine suborbit to provide samples of size K.
P. Langevin and G. Leander / Classification of Boolean Quartic Forms in Eight Variables
141
Algorithm C (Classification). The number of orbits N is assumed to be known. C1 [initialize]. Construct a preclassification (P, π). C2 [select]. Choose x = y randomly in P such that j(x) = j(y). C3 [sample]. lx ← suborbit(x, K), ly ← suborbit(y, K). C4 [test]. If lx ∩ ly = ∅, then go to C2. C5 [update]. π(x) ← π(x) ∪ π(y). Delete entry y in P . C6. If #P = N , then go to C2. C7. Return P . Figure 1. The strategy to reduce a preclassification to a classification by means of the invariant j. The procedure suborbit(x, K) selects K elements at random in the reduced part of orb(x).
2. The Number of Equivalent Classes The action of A ∈ GL(2, m) on the monomial XS is given by XSA (x) =
0
i∈S
⎛ ⎞ m ⎝ aij xj ⎠ = j=1
0
aij(i) XT =
#T =k j : S→T, i∈S j one to one
det AS,T XT ,
T
where AS,T is the square matrix of order k obtained by keeping the columns of index i ∈ S and the lines of index j ∈ T . The matrix of ω → ω A in the standard basis RM∗ (k, m), denoted by C k (A), is known as the k-th compound matrix of A, C k (A) = (det(AS,T )),
#S = #T = k.
Note that when k = 1, we recover the known action on linear forms since C 1 (A) equals the transpose of A. By mean of Burnside’s Lemma, the rank of the action of GL(2, m) over RM∗ (k, m) satisfies n(k, m) × # GL(2, m) =
F (A),
(1)
A∈GL(2,m)
where for simplicity we denote by n(k, m) the number n(RM∗ (k, m), GL(2, m)) and F (A) is the number of forms fixed by A. By replacing F (A) this formula can be rewritten as n(k, m) =
m k t 2( k )−rank(C (Ai )−I)
i=1
γ(Ai )
,
(2)
where m Ami is a list of representatives of the conjugacy classes of GL(2, m), I the k × k -identity matrix and γ(A) the order of the centralizer of A in GL(2, m). The enumeration of all the irreducible polynomials of degree less or equal to m allows the construction of all the possible invariant factors using the notion of companion matrices.
142
P. Langevin and G. Leander / Classification of Boolean Quartic Forms in Eight Variables
Table 1. Number of GL(2, m)-orbits in RM∗ (k, m) k\m 6 7 3 4
8
9
10
6 12 32 349 3691561 3 12 999 ∼ 1015 ∼ 1034
In [5], Hou proposed to go farther in the analysis of Eq. (2) using elementary factors. It is not really necessary for the present purpose. Indeed, the number of orbits n(k, m) for the small values of k and m indicated by Table 1 can be computed in a few seconds. The complementary map is the linear operator from RM∗ (k, m) to RM∗ (m − k, m) such that XS → XS , where S is the complement of the set S in {1, 2, . . . , m}. Thanks to the commutativity of the following diagram (see [5]) comp
RM∗ (k, m) −−−−→ RM∗ (m − k, m) ⏐ ⏐ ⏐ −1 ∗ ⏐ A2 2A
(3)
comp
RM∗ (k, m) −−−−→ RM∗ (m − k, m) we have k
m−k
ω ′ ∼ ω ⇐⇒ comp(ω ′ ) ∼ comp(ω), whence n(k, m) = n(m − k, m). 3. Sampler 2
Since the size of an orbit can be equal to the order of GL(2, m) ≈ 0.272m we can not use just the identity as sampler. In this section, we construct a sampler that was good enough to obtain the classification of RM∗ (4, 8). It is based on the notions of derivation and transvection. The derivation of f at u ∈ Fm 2 is the Boolean function Deru f (x) = f (x+u)+f (x). The derivation operator satisfies the following properties, see [4]: 1) 2) 3) 4)
if f = 0, then deg(Deru f ) < deg(f ); Deru (f + g) = Deru f + Deru g; Deru (f ◦ A) = (DeruA f ) ◦ A; Deru+v f = Deru f + Derv f + Derv ◦ Deru f .
∗ Note that property 4 means the mapping (u, ω) → Deru (ω) on Fm 2 × RM (k, m) is a bilinear map. In particular,
Δ(ω) = {Deru (ω) | u ∈ Fm 2 } is a linear space having dimension m in general, see next section. A transvection T ∈ GL(2, m) is defined by a pair (φ, u) ∈ RM∗ (1, m) × Fm 2 such that φ(u) = 0 : T (x) = x + φ(x)u.
P. Langevin and G. Leander / Classification of Boolean Quartic Forms in Eight Variables
143
The action of T over a Boolean function f is f T (x) = f (x + φ(x)u) = f (x) · (1 + φ(x)) + f (x + u) · φ(x) = Deru f (x) · φ(x) + f (x). Let us consider the form ω ∈ RM∗ (k, m). Using the tranvection T defined by the , we get: pair (Xm , u) where u = (v, 0) with v ∈ Fm−1 2 ω T (x) = Deru ω(x).Xm + ω(x). In particular, writing ω = ω1 + Xm ω2 where ω1 and ω2 are respectively forms of degree k and k − 1 in m − 1 variables. ω T = (Deru ω1 + ω2 ) · Xm + ω1 . We define the reduction of ω as red(ω) = ω1 + Xm ω ′ where ω ′ is a representative of the affine space ω2 + Δ(ω1 ). We will see in the next section that the set red(ω) is in general 2m smaller than # orb(ω).
4. Invariant Sometimes, it will be necessary to precise the parameters in our notations: orbkm (ω) the orbit of ω, and fixkm (ω) the fixator. An invariant of degree k in m variables is a mapping j such that k
ω ′ ∼ ω =⇒ j(ω ′ ) = j(ω). As it is pointed by Dillon in his thesis, finding invariants that are efficientely computable is a fundamental question in the theory of Boolean functions or Boolean forms. Note that given an invariant j of degree k in m variables, one obtains an invariant of degree m − k using the operator comp defined at the end of Section 2. The most basic invariant is certainly those that map ω ∈ RM∗ (k, m) to the minimal number of variables needed to express the degree k part of an element in the class ω. It is denoted by var(ω). It is directly connected to the notion of derivation var(ω) = dimF2 Δ(ω).
(4)
Similarly, there exists an invariant T connected to the notion of transvection. Indeed, the set of transvections is invariant by conjugation in GL(2, m) thus the mapping ω → T(ω) = #{T | ω T = ω} in an invariant. Denoting by Ψu : φ → (φ : Deru h, φ(u)), it is easy to compute since it is equal to T(ω) =
u∈Fm 2
dimF2 ker Ψu ,
(5)
144
P. Langevin and G. Leander / Classification of Boolean Quartic Forms in Eight Variables
For all i, 0 ≤ i ≤ m − k, we can construct a multiplicative invariant Ri,k in considering the dimension of the kernel of the multiplication by ω over the forms of degree i. Denoting by ωi× : f ∈ RM(i, m) → f ω ∈ RM∗ (k + i, m), Ri,k (ω) = dimF2 ker ωi× .
(6)
There is a fundamental invariant of degree 2 arising from the quadratic form theory. Let us recall that the radical of a quadratic form ω ∈ RM∗ (2, m) is the subspace rad(ω) = {y ∈ Fm 2 | ∀ x ω(x + y) + ω(x) + ω(y) = 0}. The fundamental invariant q is q(ω) = dimF2 rad(ω). On an other side, when m = 2t, it is possible to define a quadratic invariant Q of degree t that take only two values. However, it will be particulary useful. It maps ω = S aS XS ∈ RM∗ (t, m), to Q(ω) =
⋆
(7)
aS aS ,
S
where the sum runs over the subset of cardinality t up to complementary in {1, 2, . . . , m}. It is connected to the well known [1] notion of bent function in the sense that the existence of a Boolean function f ∈ RM(t − 1, m) such that ω + f is bent implies that Q(ω) = 0. Given an invariant j of degree k − 1 in m variables, it is possible to construct an invariant of degree k. Indeed using the property 3 of the derivation in RM∗ (k, m), the distribution of the values of the mapping Fω : u → j(Deru ω), is invariant. We denote this distribution by j′ (ω). We refer it as the lift by derivation of j. The distribution of the values of the Fourier coefficients of the Fω is also invariant. It is denoted by j(ω). In practice, j is often more discriminant than j′ , we call it the Fourier lift of j. In the case that concerns us, the Fourier lift of q′ (a double lift), say L, takes 952 values. The combinaison of this invariant with Q, R1 , R2 and L takes 966 values. That is the maximal value we actually get using fast computable invariants. 5. Preclassification of RM∗ (4, 8) The work factor for the computation of the combination of the invariants presented in the above section is about 220 . Thus, we have to reduce drastically the space of quartics constructing a preclassification. We achieved this in three steps. 5.1. First Step Let ω ∈ RM∗ (4, 8), we decompose ω = ω1 + X8 ω 2 ,
ω1 ∈ RM∗ (4, 7),
The group GL(2, 7) acts naturally over RM∗ (4, 8),
ω2 ∈ RM∗ (3, 7).
P. Langevin and G. Leander / Classification of Boolean Quartic Forms in Eight Variables
145
Table 2. The lift by derivation of q discriminates the 12 class of RM∗ (3, 7) orb. size
fix. size
cubic
1 163849992929280 11811 13872660480 1763776 2314956 45354240 59527440 21165312
0 123
92897280 137 + 237 + 147 + 247 + 157 + 267 + 467 70778880 145 + 123 3612672 123 + 456 2752512 123 + 245 + 346 7741440 123 + 145 + 246 + 356 + 456
238109760 444471552 2222357760 13545799680 17777862080
688128 368640 73728 12096 9216
B ∈ GL(2, 7),
124 + 235 + 346 + 457 + 561 + 267 + 137 712 + 724 + 134 + 234 + 135 + 745 + 146 127 + 123 + 147 + 245 + 167 127 + 123 + 234 + 345 + 456 + 567 + 617 127 + 234 + 125 + 457 + 245 + 167 + 126
4
ω ∼ ω1B + X8 ω2B = ω A ,
A=
B0 . 01
Using the classification in Table 2, the set of pairs (ω1 , ω2 ) ∈ cl(4, 7) × RM∗ (3, 7) provides a preclassification of RM∗ (4, 8) of size 7 12 × 2(3) = 12 × 235 = 412316860416;
each pair (ω1 , ω2 ) represents # orb47 (ω1 ) elements. 5.2. Second Step As we saw in Section 3, for any vector v ∈ Fm−1 : 2 4
ω = ω1 + X8 ω2 ∼ ω1 + X8 ω2 + X8 Derv ω1 . The set of pairs (ω1 , ω2 ) ∈ cl(4, 7) × RM∗ (3, 7)/Δ(ω1 ) give a new reduction. Every pair represents # orb47 (ω1 ) × 2var(ω1 ) , the size of this preclassification is equal to 6442450944. 5.3. Third Step The group fix47 (ω1 ) acts over RM∗ (3, 7)/Δ(ω1 ) since the space Δ(ω1 ) is invariant. Starting from a complete classification of RM∗ (4, 7), for all ω1 ∈ cl(4, 7), we determine a set of representatives of RM∗ (3, 7)/Δ(ω1 ) under the action of fix47 (ω1 ). The set ω1 + X8 ω2 ,
ω1 ∈ cl(4, 7), ω2 ∈ RM∗ (3, 7)/Δ(ω1 )/ fix47 (ω1 )
provides a preclassification RM∗ (4, 8) of size 68647 this is very small. Each pair (ω1 , ω2 ) represents # orb47 (ω1 ) × 2var(ω1 ) × # orb(ω2 / fix47 (ω1 )).
146
P. Langevin and G. Leander / Classification of Boolean Quartic Forms in Eight Variables
6. Numerical Results Applying all the notions presented in the preceding sections, we get an invariant say J representing the combination of the three invariants Q, R, and L. The algorithm of Section 1 achieves the classification of RM∗ (4, 8). The details concerning the output of the numerical experiment are available on the projects web site of the first author [9]. • Collisions. There are exactly 30 collisions, 27 collisions of order 2, and 3 collisions of order 3. The number of classes is effectively 966 + 27 + 6 = 999. • Equivalence. To test the equivalence between ω and ω ′ , we compute J(ω) and J(ω ′ ) and if the values are distinct then clearly the forms are not equivalent. If not, we use backtracking to construct (or to prove the nonexistence of) A ∈ GL(2, m) such that Fω′ = Fω ◦ A. • Classification up to complementary. Using the previous point, it is possible to determine equivalence up to complementary, we obtain the following repartition: self comp. not self comp. Q=1 294 168 Q=0 300 236 In particular, there are 418 classes of homogeneous forms h, up to complementary, with Q(h) = 0 that can provide bent functions. • Fixator. The determination of the fixators is strongly ease by the knowledge of the size of the orbits using the Schreier basis method. We have to generate random element in fix(ω) up to we find a group of expected order. • Covering radius of RM-code. The covering radius of Reed–Muller codes are not known in general. The handbook of coding theory [10] says the covering radius of RM(3, 8) satisfies 44 ≤ ρ(3, 8) ≤ 67. Let ω ∈ RM∗ (k, m), and let g ∈ RM(k − 1, m): 1 wt(ω + g) = 2m−1 − S(ω + g), 2
where S(f ) =
(−1)f (x).
x∈Fm 2
Adapting a recent trick of Claude Carlet [11], S(ω + g)2 = 22m − 2
u∈Fm 2
wt(Deru ω + Deru g) ≤ 22m − 2
D(u),
u∈Fm 2
where D(u) is the distance of Deru ω to the code Deru RM(3, 8). Using this result one can verify that the distance (non-linearity of order 3) from Q = 2345 + 1246 + 1356 + 2467 + 3467 + 2567 + 1348 + 1258 + 1358 + 2478 + 3578 + 1678
P. Langevin and G. Leander / Classification of Boolean Quartic Forms in Eight Variables
147
to the set RM(3, 8) satisfies 44 < 50 ≤ nl3,8 (Q), improving seriously the above estimation. Moreover, we solicited Ilya Dumer to run his decoding algorithm for us in order to decode Q. The computation shows that nl3,8 (Q) ≤ 52. • Number of bent functions. Let ω ∈ RM∗ (4, 8) and let nbf(ω) be the number of bent functions of the form ω + g where g ∈ RM(3, 8)/ RM(1, 8). For a given ω, it is possible to compute nbf(ω) in less than 18 days on a single computer. It appears that the total number of bent functions satisfies
ω∈cl(4,8)
nbf(ω) × # orb(ω) ≈ 297.3 .
The method used to obtain this last numerical result is based on the knowledge of the fixator groups (complete classification). It will the subject of a forthcoming paper.
References [1] F.J. MacWilliams and N.J.A. Sloane, The Theory of Error-Correcting Codes, North Holland Mathematical Library, 1977. [2] P. Langevin, P. Rabizzoni, P. Véron, and J.-P. Zanotti, On the number of bent functions with 8 variables, Proc. of BFCA’06 (2006), 125–135. [3] E.R. Berlekamp and L.R. Welch, Distributions of the cosets of the (32, 6) Reed–Muller code, IEEE Trans. IT-13(1) (1972), 203–207. [4] E. Brier and P. Langevin, Classification of the cubic forms of nine variables, IEEE Information Theory Workshop La Sorbonne, Paris, France (2003). [5] X.-D. Hou, GL(m, 2) acting on R(r, m)/R(r − 1, m), Discrete Mathematics 149 (1996), 99–122. [6] J.A. Maiorana. A classification of the cosets of the Reed–Muller code R(1, 6), Mathematics of Computation 57(195) (1991), 403–414. [7] O.S. Rothaus. On Bent Functions, Journal of Combinatorial Theory (A) 20 (1976), 300–305. [8] T. Sugita, T. Kasami, and T. Fujiwara, Weight distributions of the third and fifth order Reed–Muller codes of length 512, Nara Inst. Sci. Tech. Report, Feb. 1996. [9] P. Langevin, Classification of the quartic forms of eight variables, Output of the numerical experiment, www.univ-tln.fr/~langevin/projects/quartics.html. [10] R. Brualdi, S. Litsyn, and V. Pless, Covering Radius, Handbook of coding theory, chap. 8, North Holland, 1998. [11] C. Carlet, Recursive lower bounds on the nonlinearity profile of Boolean functions and their applications, Cryptology ePrint Archive, Report 2006/459, http://eprint.iacr.org/.
148
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-148
Local Affinity of Boolean Mappings Oleg A. LOGACHEV a,1 , Valery V. YASHCHENKO a,2 , and Mikhail P. DENISENKO a a Lomonosov University, Moscow, Russia Abstract. We introduce new concepts and parameters related to the problem of studying the behavior of a Boolean mapping on flats. We also prove several results relating these concepts and parameters with cryptographic properties of Boolean mappings. Moreover, the paper contains many examples. Keywords. Boolean function, Boolean mapping, flat, bent function, plateaued function, parquet, local affinity, affine normal form (af.n.f.), flat of local affinity (FLA), flat of weak local affinity (FWLA), spectrum of FLAs, spectrum of FWLAs, level of affinity, index of linearity
Introduction Many cryptanalytic techniques are based on approximation of a cryptographic mapping in question by mappings that are in a certain sense “almost affine”. Possibility of such an approximation depends heavily on the behavior of the mapping on flats (i.e., cosets of subspaces). In the present paper, we introduce new concepts and parameters related to the problem of studying such behavior. We also prove several results relating these concepts and parameters with cryptographic properties of Boolean mappings.
1. Notation and Definitions Throughout this paper we denote by Vn an n-dimensional vector space over Galois field F2 . We think of elements of Vn column Boolean vectors of length n. A flat of dimension r in Vn (an r-flat) is defined as π = L ⊕ v, where L is a subspace of Vn , dim L = r, and v ∈ Vn . For convenience we define dim ∅ = −1 and dim{v} = 0, v ∈ Vn . Note that a flat π is of dimension 1 (a 1-flat) if π = {u, v}, u = v, u, v ∈ Vn . T A flat π of dimension r, r ≥ 1, is a set of solutions x = x(1) , x(2) , . . . , x(n) ∈ Vn to a consistent system of linear equations of the form Ax = a,
(1)
1 Corresponding Author: Oleg A. Logachev, Information Security Institute, Lomonosov University, 119192 Michurinsky prosp., 1, Moscow, Russia; E-mail: [email protected]. 2 The first two authors were partially supported by the Russian Foundation for Basic Research (grant no. 0701-00154).
O.A. Logachev et al. / Local Affinity of Boolean Mappings
149
where A is an n × n-matrix over F2 of rank n − r and a ∈ Vn . We also introduce specific notation for the following vectors in Vn : • {e1 , e2 , . . . , en } is the canonical basis of the space Vn , ei = (0, . . . , 0, 1, 0, . . . , 0)T (1 is in the ith position), i = 1, 2, . . . , n; • 0 = (0, 0, . . . , 0)T ; • 1 = (1, 1, . . . , 1)T . T For any x = x(1) , x(2) , . . . , x(n) ∈ Vn one has x = x(1) e1 ⊕ x(2) e2 ⊕ (n) · · · ⊕ x en , where ⊕ denotes both addition in F2 and componentwise addition of vectors in3Vn . For arbitrary u, v ∈ Vn denote by u, v! their inner product, i.e., n u, v! = i=1 u(i) v (i) . Further, let Fn,m = {f : Vn → Vm }, where n and m are positive integers. The set Fn,m is a vector space w.r.t. the pointwise operations. For m = 1 one has Fn,1 = Fn , the set of all mappings from Vn into F2 , i.e., the set of all n-variate Boolean functions. Any mapping Φ from Fn,m can be represented as Φ = (f1 , f2 , . . . , fm )T , where fi ∈ Fn is a coordinate Boolean functions of the mapping Φ. For any f ∈ Fn and any vector x = x(1) e1 ⊕ · · · ⊕ x(n) en , f (x) = f x(1) e1 ⊕ · · · ⊕ x(n) en = f x(1) , . . . , x(n) .
Analogously, for any Φ ∈ Fn,m and any vector x, T Φ(x) = Φ x(1) , . . . , x(n) = f1 x(1) , . . . , x(n) , . . . , fm x(1) , . . . , x(n) . 2. Local Affinity One of the most useful and fruitful approaches to the analysis of cryptographic properties (in fact, of cryptographic weaknesses) of Boolean mappings rests on searching “local areas of affinity” in the domain of a Boolean mapping . In other words, the approach is based on studying families of all subsets in the domain of a Boolean mapping where the latter exposes certain properties of an affine mapping. There exist two variations of this approach that are considered in the present section. The first variation (cf., e.g., [1,2]) is based on studying combinatorial and algebraic properties of a set of flats in Vn whose images under a given mapping are flats as well. Let P(Vn ) be the set of all flats in Vn (including the empty one). Definition 1. Let Φ ∈ Fn,m . A flat π ∈ P(Vn ) \ {∅} is called a flat of weak local affinity (FWLA) of Φ if Φ(π) ∈ P(Vm ). The set PΦ (Vn ) = {π ∈ P(Vn ) \ {∅} | Φ(π) ∈ P(Vm )} is called the family of FWLAs of the mapping Φ. For a particular d, 0 ≤ d ≤ n, the set PdΦ (Vn ) = {π ∈ P(Vn ) \ {∅} | Φ(π) ∈ P(Vm ), dim π = d}
150
O.A. Logachev et al. / Local Affinity of Boolean Mappings
is called the family of d-dimensional FWLAs. The spectrum of FWLAs of Φ is the set of nonnegative integers SPΦ (Vn ) = {ν0 (Φ), ν1 (Φ), . . . , νn (Φ)}, where νd (Φ) = #PdΦ (Vn ). Remark 1. We use notation and definitions somewhat distinct from that used in [1,2]. This is justified by the more general setting we consider. Namely, we study the case of a general mapping from Vn into Vm , not necessarily one-to-one as in the cited papers. Also, our versions of definitions seem to be better suited for investigation of interrelations between weak local affinity and other cryptographic properties of Boolean mappings. It is evident that for any Φ ∈ Fn,m one has ν0 (Φ) = 2n . Furthermore, Φ({u, v}) ∈ P(Vm ) for any u, v ∈ Vn , u = v, since any 2-element set is a 1-flat and any 1-element set is a 0-flat. Hence, for arbitrary Φ ∈ Fn,m one has ν1 (Φ) = n2 . In the case when n = m and Φ ∈ Fn,n is one-to-one (i.e., a permutation on Vn ) one has νn (Φ) = 1. Moreover, Hou [2] proved that a permutation Φ takes any 2-flat to 2-flat iff Φ is an affine transform of Vn . Define by An,m the set of all affine mappings from Vn into Vm , An,m ⊆ Fn,m . In the case m = 1 we have An,1 = An , the set of all affine Boolean functions. For any Φ ∈ An,m there exists an m × n-matrix AΦ over F2 and a vector aΦ ∈ Vm such that Φ(x) = AΦ x ⊕ aΦ
(2)
for any x ∈ Vn . As usual, we denote the restriction of a mapping Φ ∈ Fn,m to a set M ⊆ Vn by Φ|M . The second variation of our approach is based on studying combinatorial and algebraic properties of the set of flats that are areas of local affinity of the mapping in question, i.e., this mapping restricted to any of these flats is an affine mapping. Definition 2. Let Φ ∈ Fn,m . A flat π ∈ P(Vn ) \ {∅} is called a flat of local affinity (FLA) of Φ if there exists Ψ = Ψ(π) ∈ An,m such that Φ|π = Ψ|π . The set Φ (Vn ) = {π ∈ P(Vn ) \ {∅} | ∃ Ψ = Ψ(π) ∈ An,m : Φ|π = Ψ|π } P
is called the family of FLAs of the mapping Φ. For a particular d, 0 ≤ d ≤ n, the set dΦ (Vn ) = {π ∈ P(Vn ) \ {∅} | ∃ Ψ = Ψ(π) ∈ An,m : Φ|π = Ψ|π , dim π = d} P
is called the family of d-dimensional FLAs. The spectrum of FLAs of Φ is the set of nonnegative integers 4 Φ (Vn ) = {μ0 (Φ), μ1 (Φ), . . . , μn (Φ)}, SP
d (Vn ). where μd (Φ) = #P Φ
O.A. Logachev et al. / Local Affinity of Boolean Mappings
151
Table 1. x ⎧ ⎪ (0, 0, 0)T ⎪ ⎪ ⎪ ⎨ (0, 0, 1)T π= ⎪ (0, 1, 0)T ⎪ ⎪ ⎪ ⎩ (0, 1, 1)T ⎧ T ⎪ ⎪ (1, 0, 0) ⎪ ⎪ ⎨ (1, 0, 1)T π′ = ⎪ ⎪ (1, 1, 0)T ⎪ ⎪ ⎩ (1, 1, 1)T
Φ(x) ⎫ (1, 0, 0)T ⎪ ⎪ ⎪ ⎪ (1, 0, 1)T ⎬
= π′ (1, 1, 0)T ⎪ ⎪ ⎪ ⎪ ⎭ (1, 1, 1)T ⎫ (0, 0, 0)T ⎪ ⎪ ⎪ ⎪ (0, 0, 0)T ⎬ = π1 (0, 0, 0)T ⎪ ⎪ ⎪ ⎪ ⎭ (0, 0, 1)T
The next example shows that for Boolean functions the local affinity is a stronger notion as compared with the weak local affinity. Example 1. Let n = m = 3. Consider the mapping Φ ∈ F3,3 whose table of values is given in Table 1. 8 9 The set π = (0, 0, 0)T , (0, 0, 1)T , (0, 1, 0)T , (0, 1, 1)T is a flat in the space V3 . It is clear that π ′ = π⊕e1 is a flat as well and dim π ′ = dim π = 2. Moreover, π∪π ′ = V3 . It is evident that Φ(π) = π ′ and restrictions of the mappings Φ and Ψ : x → x ⊕ e1 to the flat π coincide. Hence 8 the flat π is a FLA9for the mapping Φ. On the other hand, Φ(π ′ ) = π1 , where π1 = (0, 0, 0)T , (0, 0, 1)T , dim π1 = 1. Suppose that restriction of the mapping Φ to π ′ coincides with restriction to this flat of certain affine mapping Ψ ∈ A3,3 . The mapping Ψ is of the form x → Ax ⊕ a, where x, a ∈ V3 and A is a Boolean 3 × 3-matrix. Since Ψ is affine, the next identity holds for any u, v ∈ V3 : Ψ(u ⊕ v) ⊕ Ψ(0) = Ψ(u) ⊕ Ψ(v)
(3)
Consider two pairs (u, v), (u′ , v ′ ) such that u, v, u′ , v ′ ∈ V3 , (u, v) = (u′ , v ′ ), and u ⊕ v = u′ ⊕ v ′ . Identity (3) implies Ψ(u) ⊕ Ψ(v) = Ψ(u′ ) ⊕ Ψ(v ′ ). Let u = (1, 0, 0)T , v = (1, 1, 0)T , u′ = (1, 0, 1)T , v ′ = (1, 1, 1)T . Then u ⊕ v = u′ ⊕ v ′ = (0, 1, 0)T . However, Ψ(u) ⊕ Ψ(v) = (0, 0, 0)T = (0, 0, 1)T = Ψ(u′ ) ⊕ Ψ(v ′ ). The contradiction derived shows that restrictions of Φ and any affine mapping to the flat π ′ can not coincide. Hence the flat π ′ is FWLA for Φ, but not FLA. Proposition 1. Let Φ ∈ Fn,m . The following statements hold: 1) 2) 3) 4) 5)
any FLA of the mapping Φ is also its FWLA; Φ (Vn ) = P Φ′ (Vn ); if A ∈ An,m , then for Φ′ = Φ ⊕ A we have P PΦ (Vn ) ⊆ PΦ (Vn ); d (Vn ) ⊆ Pd (Vn ), d = 0, 1, . . . , n; P Φ Φ μd (Φ) ≤ νd (Φ), d = 0, 1, . . . , n.
152
O.A. Logachev et al. / Local Affinity of Boolean Mappings
Proof. Follows from Definitions 1 and 2. The present paper is devoted mainly to FLAs. Proposition 2. Let Φ ∈ Fn,m . The following statements hold: Φ (Vn ), π1 = ∅, π2 = ∅ and π2 ⊆ π1 , then π2 ∈ P Φ (Vn ); 1) if π1 ∈ P Φ (Vn ), π1 ∩ π2 = ∅, then π1 ∩ π2 ∈ P Φ (Vn ). 2) if π1 , π2 ∈ P
Proof. Statement 1 follows from Definition 2. To prove Statement 2, consider Eq. (1). The set of vectors of the flat π1 coincides with the a set of solutions to certain system of equations Ax = a. The same holds for the flat π2 and a system of equations A′ x = a′ . Hence the set of vectors π1 ∩π2 coincides with a set of solutions to the system A′′ x = a′′ , where A′′ is a Boolean n × n-matrix such that rank A′′ = rank
:
; A . A′
Thus π1 ∩ π2 = π is a flat in Vn and now Statement 2 follows from Statement 1. Φ (Vn ). This set is partially ordered w.r.t. set-theoretic incluNow consider the set P Φ (Vn ) covers the flat π1 ∈ P Φ (Vn ) if π1 ⊂ π2 sion ⊆. As usual, we say that a flat π2 ∈ P ′ ′ and there is no flat π ∈ PΦ (Vn ) such that π1 ⊂ π ⊂ π2 . Φ (Vn ) can be represented graphically by its Hasse diAs a partially ordered set, P agram. A Hasse diagram of PΦ (Vn ) is a figure that consists of points representing el Φ (Vn ) and line segments between some of these points. This figure must ements of P satisfy the following conditions:
• if π1 ⊂ π2 , then the point corresponding to π1 appears lower than the point corresponding to π2 ; • the points representing π1 and π2 are connected by a line segment iff π2 covers π1 or π1 covers π2 .
Φ (Vn ) are singletons {x}, x ∈ Vn , Minimal elements of the partially ordered set P 4 which are flats of dimension 0. Let MΦ (Vn ) be the set of all maximal elements of the Φ (Vn ). partially ordered set P 4Φ (Vn ) determines P Φ (Vn ) unambiguously. Proposition 3. The set M
Φ (Vn ) is exactly the set of flats that are subProof. Follows from Proposition 2 since P 4 sumed by at least one of the flats in MΦ (Vn ).
Example 2. Let n = 2 and let Φ ∈ F2,2 be given in Table 2. It is easy to see (cf. Example 1) that < =Φ is not affine. For any positive integer n the number of r-flats in Vn (cf. [3]) is 2n−r nr , where : ; (2n −1)(2n −2)...(2n −2r−1 ) n r r r r−1 = (2 −1)(2 −2)...(2 −2 ) r 1
if 1 ≤ r ≤ n;
if r = 0.
O.A. Logachev et al. / Local Affinity of Boolean Mappings
153
Table 2. x
Φ(x)
u0 = (0, 0)T (1, 1)T u1 = (0, 1)T (1, 0)T u2 = (1, 0)T (1, 1)T u3 = (1, 1)T (0, 1)T
Table 3. r
The number of flats of dimension r
0
4
1
6
The set of flats of dimension r 9 9 8 8 π0 = (0, 0)T , π1 = (0, 1)T , 9 9 8 8 π2 = (1, 0)T , π3 = (1, 1)T
2
1
π = π0,1,2,3 = V2
π0,1 , π0,2 , π0,3 , π1,2 , π1,3 , π2,3
is the Gaussian binomial coefficient. Hence the total number of flats in Vn not counting the empty one is n r=0
2n−r
: ; n . r
Table 3 gives the number of r-flats in V2 and enumerates all these flats. The flats in Table 3 are enumerated according to the ordering of vectors in V2 (cf. Table 2). The total number of such flats in V2 is 11. For the set of 0-flats the next inclusion hold: Φ (V2 ) ⊆ PΦ (Vn ), {π0 , π1 , π2 , π3 } ⊂ P
since for any πi = {ui }, i = 0, 1, 2, 3 the mapping Φ|πi coincides with the affine mapping Ψ : x → x ⊕ (ui ⊕ Φ(ui )), x ∈ V2 . For the flat π0,1 we have Φ(π0,1 ) = (1, 1)T , (1, 0)T .
The general affine group GA(Vn )is 2-transitive for any n ≥ 1 (cf. [3]). Therefore there exists g ∈ GA(V2 ) such that g (0, 0)T = (1, 1)T , g (0, 1)T = (1, 0)T , i.e., Φ (V2 ). Φ|π0,1 = g|π0,1 . Hence, π0,1 ∈ P Since #Φ(π0,3 ) = #Φ(π1,2 ) = #Φ(π1,3 ) = #Φ(π2,3 ) = 2, the same reasoning as above implies Φ (V2 ). {π0,1 , π0,3 , π1,2 , π1,3 , π2,3 } ⊂ P
Consider the flat π0,2 , Φ(π0,2 ) = {(1, 1)T }. In the case at hand it is easy to show that for affine mapping Ψ(x) =
(1) 1 01 x ⊕ 1 00 x(2)
154
O.A. Logachev et al. / Local Affinity of Boolean Mappings
π0,1 π0,2 π0,3 π1,2 π1,3 π2,3 s s s s s ✟s ❍❍ ❍❍ ✟ ❍❍ ❅ ✟ ✟ ❍❍ ✟ ✟ ❍❍ ❅❍❍ ❍❍✟✟✟ ✟✟ ❍❍ ✟ ❅ ❍❍❍ ✟ ❍ ❍❍ ❅ ❍❍ ✟✟ ❍❍✟✟ ❍✟ ✟ ❅ ❍❍ ❍ ❍ ✟ ❍❍s ❍❍✟ ❅s s ✟ ❍s✟✟ π1 π2 π3 π0 Φ (V2 ). Figure 1. A Hasse diagram of P
Φ (V2 ). Moreover, it is clear that relation Ψ|π0,2 = Φ|π0,2 holds. Hence, π0,2 ∈ P Φ (V2 ). / PΦ (V2 ) and π0,1,2,3 ∈ /P π0,1,2,3 ∈ Thus, for the mapping Φ being considered one has Φ (V2 ) = {π0 , π1 , π2 , π3 , π0,1 , π0,2 , π0,3 , π1,2 , π1,3 , π2,3 }, PΦ (V2 ) = P 4 Φ (V2 ) = (4, 6, 0), SPΦ (V2 ) = SP
4Φ (V2 ) = {π0,1 , π0,2 , π0,3 , π1,2 , π1,3 , π2,3 } M
Φ (V2 ) is shown in Figure 1. A Hasse diagram of P
Definition 3. A partition of the space Vn into flats is called a parquet of this space.
Φ (Vn ) is called a Definition 4. A partition of the space Vn into flats belonging to P parquet of this space w.r.t. the mapping Φ.
If the particular mapping is clear from the context, then we would speak for simplicity about a parquet of the space Vn . The parquet D0 = is called trivial.
88
99 9 8 9 8 (0, . . . , 0)T , (0, . . . , 1)T , . . . , (1, . . . , 1)T
Remark 2. For any mapping Φ ∈ Fn,m there exists a parquet of Vn w.r.t. Φ, but this parquet is not necessarily unique. Remark 3. Let D be a parquet of the space Vn . Then the set {Φ ∈ Fn,m | D is a parquet of Vn w.r.t. Φ} is a subspace of Fn,m . Example 3. Parquets of V2 w.r.t. the mapping Φ : V2 → V2 considered in Example 2 are as follows: D1 = {π0,1 , π2,3 },
D2 = {π0,2 , π1,3 },
D3 = {π0,2 , π1 , π3 }.
O.A. Logachev et al. / Local Affinity of Boolean Mappings
155
Example 4 (GSM stream cipher A5). Let Φ : V64 → V64 be the mapping used in GSM stream cipher A5. Denote by L the 61-dimensional subspace {x ∈ V64 | x10 = x30 = x53 = 0} of V64 . Then D = {L, L ⊕ e10 , L ⊕ e30 , L ⊕ e53 , L ⊕ e10 ⊕ e30 , L ⊕ e10 ⊕ e53 , L ⊕ e30 ⊕ e53 , L ⊕ e10 ⊕ e30 ⊕ e53 } is a parquet of V64 w.r.t. Φ. Furthermore, Φ|L = Φ|L⊕e10 ⊕e30 ⊕e53
Φ|L⊕e53 = Φ|L⊕e10 ⊕e30
Φ|L⊕e30 = Φ|L⊕e10 ⊕e53
Φ|L⊕e10 = Φ|L⊕e30 ⊕e53
⎤ B1 0 0 = ⎣ 0 B2 0 ⎦ 0 0 B3 ⎤ ⎡ B1 0 0 = ⎣ 0 B2 0 ⎦ B1 and E1 = id19 are 19 × 19-matrices; 0 0 E3 ⎤ B2 and E2 = id22 are 22 × 22-matrices; ⎡ B1 0 0 = ⎣ 0 E2 0 ⎦ B3 and E3 = id23 are 23 × 23-matrices. 0 0 B3 ⎤ ⎡ E1 0 0 = ⎣ 0 B2 0 ⎦ 0 0 B3 ⎡
Let S ⊆ Vn . By χS we denote the characteristic function of the set S. For any flat Φ (Vn ) denote by Ψπ a mapping chosen arbitrarily among affine mappings Ψ such π∈P that Φ|π = Ψ|π .
Definition 5. Let D be a parquet of the space Vn w.r.t. a mapping Φ ∈ Fn,m . An affine normal form (af.n.f.) of the mapping Φ w.r.t. the parquet D is as follows: Φ(x) =
%
χπ (x)Ψπ (x),
π∈D
x ∈ Vn .
(4)
The length of af.n.f. is defined to be #D. Now we turn to the next research problem: which numerical parameters of Boolean mappings defined so far are invariant w.r.t. the action of the general affine group. Theorem 1. For any Φ ∈ Fn,m spectra of weak local affinity and local affinity are affine invariants. Proof. Let Φ ∈ Fn,m and g ∈ GA(Vn ). There exist a nonsingular Boolean n × n-matrix A and b ∈ Vn such that g(x) = Ax ⊕ b. Consider a mapping Φ′ ∈ Fn,m of the form Φ′ (x) = Φg (x) = Φ(g(x)), x ∈ Vn . The element g−1 of the group GA(Vn ) acts on the flat π = u ⊕ L according to the next chain of equalities:
156
O.A. Logachev et al. / Local Affinity of Boolean Mappings
g−1 (π) = g−1 (u ⊕ L) = A−1 (u ⊕ L) ⊕ A−1 b = A−1 (L) ⊕ A−1 (u ⊕ b) = L′ ⊕ A−1 (u ⊕ b) = π ′ . Here L′ = A−1 (L) is a subspace of Vn and dim π ′ = dim L′ = dim L = dim π due to nonsingularity of the matrix A. Hence π ′ is a flat and Φ′ (π ′ ) = Φg (π ′ ) = Φg (g−1 π) = Φ(g(g−1 π)) = Φ(g · g−1 (π)) = Φ(π).
(5)
Therefore g−1 is a permutation of the set P(Vn ) \ {∅}. Moreover, if π is a FWLA of the mapping Φ, then (5) implies that π ′ is a FWLA of Φ′ . Dimensions of the flats π and π ′ are equal, thus we have SPΦ (Vn ) = SPΦ′ (Vn ) and the first part of the theorem follows. Now suppose that π is a FLA of the mapping Φ and Φ|π = Ψ|π , where Ψ(x) = Bx ⊕ c, B is a Boolean m × n-matrix, and c ∈ Vm . It is easy to see that equalities Φ′ = Φg and π ′ = g−1 (π) imply the relation Φ′ |π′ = Ψg |π′ , where Ψg : x → Ψ(g(x)) = Ψ(Ax ⊕ Ab) = B(Ax ⊕ Ab) ⊕ c = BAx ⊕ (BAb ⊕ c) is an affine mapping, Ψg (x) ∈ Fn,m . Hence, BΦ′ (Vn ). BΦ (Vn ) = SP SP
Definition 6. Let Φ ∈ Fn,m . Generalized level of affinity of the mapping Φ is the nonnegative integer La(Φ) =
min
4Φ (Vn ) π∈M
(n − dim π) = n −
max
4Φ (Vn ) π∈M
dim π.
(6)
Given an integer k, 0 ≤ k ≤ n, a set of indices {j1 , . . . , jk }, 1 ≤ j1 < · · · < jk ≤ (1) ,...,a(k) n, and a vector a(1) , . . . , a(k) ∈ Vk , we denote by πja1 ,...,j the flat in PΦ (Vn ) of k the form (1) (j1 ) ,...,a(k) (1) (jk ) (k) x . (7) = a , . . . , x = a = x ∈ V πja1 ,...,j n k
The set of all such flats in PΦ (Vn ) is denoted by QΦ (Vn ). Furthermore, let Q0Φ (Vn ) be Φ (Vn ) and Q 0 (Vn ) the sets the set of all flats of the form πj0,...,0 . We also denote by Q Φ 1 ,...,jk 0 Φ (Vn ) and Q (Vn ) ∩ P Φ (Vn ), respectively. QΦ (Vn ) ∩ P Φ Definition 7. Let Φ ∈ Fn,m .
1. Level of affinity of the mapping Φ is the nonnegative integer la(Φ) =
min
Φ (Vn ) π∈Q
(n − dim π) = n −
max
Φ (Vn ) π∈Q
dim π.
(8)
2. Partial level of affinity of the mapping Φ is the nonnegative integer la0 (Φ) =
min
0 (Vn ) π∈Q Φ
(n − dim π) = n −
max
0 (Vn ) π∈Q Φ
dim π.
(9)
O.A. Logachev et al. / Local Affinity of Boolean Mappings
157
Remark 4. For m = 1, our definition of the level of affinity is equivalent to the definition of this parameter given in [4]. Our definition of partial level of affinity is equivalent to the definition of the same parameter proposed in [5]. Proposition 4. For arbitrary mapping Φ ∈ Fn,m we have La(Φ) ≤ la(Φ) ≤ la0 (Φ).
(10)
4Φ (Vn ) and Definitions 6 and 7. Proof. Follows from the properties of the set M
Tailoring Boolean mappings for cryptographic applications is usually based on certain ad hoc techniques. One of these techniques consists in constructing nonlinear mapping given affine ones with the help of so-called selection functions. Definition 8 ([6]). Let Vn , Vm , Vk be vector spaces over F2 and h be a linear mapping from Vn into Vk . Let Au ∈ An,m for any u ∈ Vk . Define Φ ∈ Fn,m by Φ(x) = Ah(x) (x),
x ∈ Vn .
(11)
The mapping Φ is defined by a pair ({Au | u ∈ Vn }, h) where {Au | u ∈ Vn } is a family of affine mappings and h is a selection function. It is easy to see that any Φ ∈ Fn,m can be represented in the form (11). Indeed, it suffices to put n = k, h(x) = x, and Ax (x) = Φ(x) for any x ∈ Vn . It is clear that studying such mappings reduces to the case when the selection function h is surjective and n ≥ k. Note that in general a representation of a mapping in the form (11) is not unique. Definition 9 ([6]). Linearity index of a mapping Φ ∈ Fn,m is the minimum k taken over all representations of the mapping in the form (11). Linearity index of a mapping Φ is denoted by il(Φ). This parameter measures a distance from Φ to the set of all affine mappings. This distance is maximal for mappings with maximal parameter il(Φ). Finding an efficient algorithm for evaluating linearity index is an ambitious problem. Moreover, there exists a natural relation involving linearity index and generalized level of affinity of a mapping. Let Φ ∈ Fn,m be represented in the form (11) and il(Φ) = k. Let L = ker(h). Since h(Vn ) = Vk , we have dim L = n − k. For arbitrary vectors x and x′ belonging to a flat πa = L ⊕ a, a ∈ Vn , we have h(x′ ) = h(x) = u,
u ∈ Vk ,
Φ (Vn ) and hence i.e., Φ|πa = Au |πa , where Au ∈ A ⊂ An,m . Then πa ∈ P La(Φ) = n −
max
Φ (Vn ) π∈P
dim π ≤ n − dim πa = n − (n − k) = k = il(Φ).
Example 5. Let Φ : V64 → V64 be the mapping used in GSM stream cipher A5 (cf. also Example 4). Then il(Φ) = 2,
h(x) = (x10 ⊕ x30 , x10 ⊕ x53 )T .
158
O.A. Logachev et al. / Local Affinity of Boolean Mappings
Many cryptographic properties of mappings are related to several parameters of weak local affinity (local affinity). In some cases, the way of constructing of a mapping as well as the primitives used in this constructing are very important. For example (cf. [1]), a one-to-one mapping Φ ∈ Fn,n such that ν2 (Φ) = 0 is almost perfect non-linear (APN, cf. [7,8]).
3. Case Study: Local Affinity of Boolean Functions In this section we consider a cryptographically significant class of Boolean mappings, namely, the class of Boolean functions (i.e., Boolean mappings from Vn to V1 = F2 ). Since any subset of V1 is a flat, we have Pf (Vn ) = P(Vn ) \ {∅} for any f ∈ Fn . Hence one needs to study only local affinity of Boolean functions. We restate Definition 2 for Boolean functions. Definition 10. Let f ∈ Fn . A flat π ∈ P(Vn ) \ {∅} is called a flat of local affinity (FLA) of f if there exists ψ = ψ(π) ∈ An such that f |π = ψ|π . The set f (Vn ) = {π ∈ P(Vn ) \ {∅} | ∃ ψ = ψ(π) ∈ An : f |π = ψ|π } P
is called the family of FLAs of the function f . For a particular d, 0 ≤ d ≤ n, the set d (Vn ) = {π ∈ P(Vn ) \ {∅} | ∃ ψ = ψ(π) ∈ An : f |π = ψ|π , dim π = d} P f
is called the family of d-dimensional FLAs. The spectrum of FLAs of f is the set of nonnegative integers 4 f (Vn ) = {μ0 (f ), μ1 (f ), . . . , μn (f )}, SP
d (Vn ). where μd (f ) = #P f
f (Vn ), 4f (Vn ) be the set of all maximal elements of the partially ordered set P Let M 4f (Vn ) as well. where f ∈ Fn . Propositions 2 and 3 hold for M
f (Vn ) is called a Definition 11. A partition of the space Vn into flats belonging to P parquet of this space w.r.t. the Boolean function f .
If the particular function is clear from the context, then we would speak for simplicity about a parquet of the space Vn . Example 6. Let ⎧ ⎫ (0, 0, 0, 0)T ⎪ ⎪ ⎪ ⎪ ⎨ ⎬ (1, 0, 0, 0)T , L1 = T (0, 1, 0, 0) ⎪ ⎪ ⎪ ⎪ ⎩ ⎭ (1, 1, 0, 0)T Then
⎧ ⎫ (0, 0, 0, 0)T ⎪ ⎪ ⎪ ⎪ ⎨ ⎬ (0, 1, 0, 0)T L2 = T (0, 0, 1, 0) ⎪ ⎪ ⎪ ⎪ ⎩ ⎭ (0, 1, 1, 0)T
(dim L1 = dim L2 = 2).
O.A. Logachev et al. / Local Affinity of Boolean Mappings
159
D = {π1 = L1 , π2 = L1 ⊕ e3 , π3 = L2 ⊕ e2 ⊕ e4 , π4 = L2 ⊕ e1 ⊕ e2 ⊕ e3 ⊕ e4 } is a parquet of V4 w.r.t. any Boolean function of the form
f (x) =
4 %
χπi (x)li (x),
i=1
where li ∈ A4 , i = 1, 2, 3, 4. Let ⎧ ⎫ (0, 0, 0, 0)T ⎪ ⎪ ⎪ ⎪ ⎨ ⎬ (0, 0, 1, 0)T ⊥ , L1 = ⎪(0, 0, 0, 1)T ⎪ ⎪ ⎪ ⎩ ⎭ (0, 0, 1, 1)T
Then
⎧ ⎫ (0, 0, 0, 0)T ⎪ ⎪ ⎪ ⎪ ⎨ ⎬ (1, 0, 0, 0)T ⊥ L2 = ⎪(0, 0, 0, 1)T ⎪ ⎪ ⎪ ⎩ ⎭ (1, 0, 0, 1)T
⊥ (dim L⊥ 1 = dim L2 = 2).
9 8 ′ ⊥ ′ ⊥ ′ ⊥ D⊥ = π1′ = L⊥ 1 , π2 = L1 ⊕ e2 , π3 = L2 ⊕ e3 , π4 = L2 ⊕ e1 ⊕ e2 ⊕ e3 ⊕ e4
is the dual parquet of D (cf. Definition 15).
Definition 12. Let D be a parquet of the space Vn w.r.t. a Boolean function f ∈ Fn . An affine normal form (af.n.f.) of the function f w.r.t. the parquet D is as follows f (x) =
%
χπ (x)ψπ (x),
π∈D
x ∈ Vn ,
(12)
where {ψπ | π ∈ D} is a family of affine functions such that f |π = ψπ |π for any π ∈ D. The length of af.n.f. is defined to be #D. Example 7. Consider the Maiorana–McFarland construction for bent functions (cf., e.g., [7,9]). Namely, let g ∈ Fn , n = k + l, be defined by g(z) = x, Φ(y)! ⊕ φ(y) =
k % i=1
x(i) fi (y) ⊕ φ(y),
z = (x, y)T , x ∈ Vk , y ∈ Vl ,
9 8 where Φ ∈ Fl,k , Φ = (f1 , . . . , fk ), φ ∈ Fl . Let L = (x, 0)T x ∈ Vk be the subspace of Vn and zy = (0, y)T ∈ Vn for y ∈ Vl . Then the space Vn is a union of disjoint flats πy = L ⊕ zy , y ∈ Vl . Furthermore, g (x, y)T = x, u! ⊕ b for any (x, y)T ∈ πy , where u = Φ(y) and b = φ(y) are fixed. Hence {πy | y ∈ Vl } is a parquet of Vn w.r.t. g. Example 8 ([10]). Let f be the filtering function of Lili-128:
160
O.A. Logachev et al. / Local Affinity of Boolean Mappings
Table 4. i
χπi
i
1
x1 x2 x3 x4
18
2
x1 x2 x3 x4 x5
19
3
x1 x2 x3 x4 x5
20
4
x1 x2 x3 x4 (x10 ⊕ x9 ⊕ 1)
21
x1 x2 x3 x4 (x10 ⊕ x9 ⊕ x5 ⊕ 1)
23
x1 x2 x3 x4 (x10 ⊕ x8 ⊕ 1)
25
x1 x2 x3 x4 x5 (x10 ⊕ x7 ⊕ 1)
27
x1 x2 x3 x4 x5 (x10 ⊕ x6 ⊕ 1)
29
x1 x2 x3 x4 (x9 ⊕ x5 ⊕ 1)
31
x1 x2 x3 x4 (x8 ⊕ x5 ⊕ 1)
33
5 6 7 8 9 10 11 12 13 14 15 16 17
x1 x2 x3 x4 (x10 ⊕ x9 ⊕ 1)
22
x1 x2 x3 x4 (x10 ⊕ x9 ⊕ x5 ⊕ 1)
24
x1 x2 x3 x4 (x10 ⊕ x8 ⊕ 1)
26
x1 x2 x3 x4 x5 (x10 ⊕ x7 ⊕ 1)
28
x1 x2 x3 x4 x5 (x10 ⊕ x6 ⊕ 1)
30
x1 x2 x3 x4 (x9 ⊕ x5 ⊕ 1)
32
x1 x2 x3 x4 (x8 ⊕ x5 ⊕ 1)
χπi x1 x2 x3 x4 (x7 ⊕ x5 ) x1 x2 x3 x4 (x7 ⊕ x5 ) x1 x2 x3 x4 (x7 ⊕ x5 ) x1 x2 x3 x4 (x7 ⊕ x5 )
x1 x2 x3 x4 (x10 ⊕ x9 ⊕ x8 ⊕ x5 ) x1 x2 x3 x4 (x10 ⊕ x9 ⊕ x8 ⊕ x5 ) x1 x2 x3 x4 (x10 ⊕ x9 ⊕ x7 ⊕ x5 ) x1 x2 x3 x4 (x10 ⊕ x9 ⊕ x7 ⊕ x5 )
x1 x2 x3 x4 (x10 ⊕ x9 ⊕ x6 ⊕ x5 ) x1 x2 x3 x4 (x10 ⊕ x9 ⊕ x6 ⊕ x5 ) x1 x2 x3 x4 (x10 ⊕ x8 ⊕ x7 ⊕ x5 ) x1 x2 x3 x4 (x10 ⊕ x8 ⊕ x7 ⊕ x5 ) x1 x2 x3 x4 (x10 ⊕ x8 ⊕ x6 ⊕ x5 ) x1 x2 x3 x4 (x10 ⊕ x8 ⊕ x6 ⊕ x5 ) x1 x2 x3 x4 (x10 ⊕ x7 ⊕ x6 ⊕ x5 ) x1 x2 x3 x4 (x10 ⊕ x7 ⊕ x6 ⊕ x5 )
f (x1 , x2 , . . . , x10 ) = x5 ⊕ x4 ⊕ x3 ⊕ x2 ⊕ x10 x6 ⊕ x10 x4 ⊕ x9 x3 ⊕ x9 x1 ⊕ x8 x2 ⊕ x8 x1 ⊕ x7 x6 ⊕ x10 x9 x5 ⊕ x10 x9 x4 ⊕ x10 x9 x3 ⊕ x10 x9 x2 ⊕ x10 x8 x4 ⊕ x10 x8 x3 ⊕ x10 x7 x6 ⊕ x10 x7 x5 ⊕ x10 x7 x4 ⊕ x9 x8 x6 ⊕ x9 x8 x3 ⊕ x9 x7 x6 ⊕ x9 x7 x4 ⊕ x9 x7 x3 ⊕ x10 x9 x8 x6 ⊕ x10 x9 x8 x4 ⊕ x10 x9 x8 x3 ⊕ x10 x9 x8 x1 ⊕ x10 x9 x7 x6 ⊕ x10 x9 x7 x4 ⊕ x10 x9 x7 x2 ⊕ x10 x8 x7 x5 ⊕ x10 x8 x7 x3 ⊕ x9 x8 x7 x4 ⊕ x9 x8 x7 x2 ⊕ x9 x7 x6 x5 ⊕ x9 x7 x6 x4 ⊕ x10 x9 x8 x7 x4 ⊕ x10 x9 x8 x7 x4 ⊕ x10 x9 x8 x7 x3 ⊕ x10 x9 x7 x6 x5 ⊕ x10 x9 x7 x6 x4 ⊕ x9 x8 x7 x6 x5 ⊕ x9 x8 x7 x6 x4 ⊕ x10 x9 x8 x7 x6 x5 ⊕ x10 x9 x8 x7 x6 x4 .
333 Then f (x) = i=1 χπi (x)lπi (x) is an affine normal form of f , where χπi and lπi are given in Tables 4 and 5, respectively. Recall the definitions of some commonly used notions related to Boolean functions. Definition 13. The Walsh transform of a Boolean function f ∈ Fn is the integer-valued function Wf : Vn → [−2n , 2n ] given by (−1)f (x)⊕u,x . Wf (u) = x∈Vn
For any u ∈ Vn , the integer Wf (u) is called the Walsh coefficient of the function f . The set {Wf (u) | u ∈ Vn } is said to be the Walsh spectrum of f . The next lemma is useful for relating the Walsh transform to an af.n.f. of a Boolean function.
O.A. Logachev et al. / Local Affinity of Boolean Mappings
161
Table 5. i 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
i
lπi
x10 x9 ⊕ x8 ⊕ x7
lπi
18
x10 ⊕ x9 ⊕ x8
x10 x9 ⊕ x8 ⊕ x7 ⊕ 1
20
x9 ⊕ x8 ⊕ x7 ⊕ 1
22
x9 ⊕ x8 ⊕ x7 ⊕ 1
24
x10 ⊕ x8 ⊕ x7 ⊕ 1
26
x10 ⊕ x9 ⊕ x7 ⊕ 1
28
x10 ⊕ x9 ⊕ x8 ⊕ 1
30
x9 ⊕ x8 ⊕ x7
32
x10 x9 ⊕ x8 ⊕ x7
19
x9 ⊕ x8 ⊕ x7
21
x9 ⊕ x8 ⊕ x7
23
x10 ⊕ x8 ⊕ x7
25
x10 ⊕ x9 ⊕ x7
27
x10 ⊕ x9 ⊕ x8
29
x9 ⊕ x8 ⊕ x7
31
x10 ⊕ x8 ⊕ x7
33
x10 ⊕ x8 ⊕ x7
x10 ⊕ x9 ⊕ x7 x10 ⊕ x9 ⊕ x8 x10 ⊕ x9 ⊕ x8 x8 ⊕ x7
x8 ⊕ x7 ⊕ 1 x9 ⊕ x7
x9 ⊕ x7 ⊕ 1 x9 ⊕ x8
x9 ⊕ x8 ⊕ 1 x10 ⊕ x7
x10 ⊕ x7 ⊕ 1 x10 ⊕ x8
x10 ⊕ x8 ⊕ 1 x10 ⊕ x9
x10 ⊕ x9 ⊕ 1
Lemma 1 ([9]). Let f ∈ Fn , a, b ∈ Vn , and let L be a subspace of Vn . Then
(−1)f (x)⊕b,x = 2dim L−n (−1)a,b
x∈a⊕L
Wf (y)(−1)a,y .
(13)
y∈b⊕L⊥
Let f ∈ Fn and let D = {π1 , . . . , πm } be a parquet of the space Vn w.r.t. the function f . Suppose that an af.n.f. of the function f is given by
f (x) =
m %
χπi (x)ψπi (x),
(14)
i=1
where ψπi (x) = ai , x! ⊕ ǫi , ai ∈ Vn , ǫi ∈ F2 , i = 1, 2, . . . , m. Furthermore, let πi = bi ⊕ Li , where bi ∈ Vn and Li is a subspace of Vn , i = 1, 2, . . . , m. Then the next theorem holds. Theorem 2. For any u ∈ Vn , we have Wf (u) =
m i=1
(ai ⊕ u)2dim Li . (−1)ai ⊕u,bi ⊕ǫi χL⊥ i
Proof. Follows from the next chain of equalities:
(15)
162
O.A. Logachev et al. / Local Affinity of Boolean Mappings
Wf (u) =
(−1)f (x)⊕u,x =
x∈Vn
=
x∈π1
=
=
x∈Vn
(−1)ai ⊕u,bi ⊕ǫi
=
i=1
3m
i=1
χπi (x)[ai ,x⊕ǫi ]⊕u,x
(−1)am ⊕u,x⊕ǫm
x∈πm
(−1)a1 ⊕u,y⊕b1 ⊕ǫ1 + · · · +
i=1
m
(−1)
(−1)a1 ⊕u,x⊕ǫ1 + · · · +
y∈L1 m
(−1)am ⊕u,y⊕bm ⊕ǫm
y∈Lm
(−1)ai ⊕u,y
y∈Li
(−1)ai ⊕u,bi ⊕ǫi χL⊥ (ai ⊕ u)2dim Li . i
Corollary 1. Let D be a parquet of the space Vn w.r.t. a Boolean function f ∈ Fn and let d = minπ∈D dim π. Then Wf (u) is a multiple of 2d for any u ∈ Vn . Proof. Follows from Theorem 2. Now consider certain techniques used for constructing cryptographically significant classes of Boolean functions. These techniques are based on Eq. (15). We recall the definition of a bent function. Definition 14 ([9]). Let n = 2k, k ∈ N. A Boolean function f ∈ Fn is called bent if |Wf (u)| = 2n/2 = 2k for any u ∈ Vn . Definition 15. Parquets of the form π0 = L0 ⊕ b0 , π1 = L1 ⊕ b1 , . . . , πm−1 = Lm−1 ⊕ bm−1
(16)
⊥ ′ ⊥ ′ π0′ = L⊥ 0 ⊕ a0 , π1 = L1 ⊕ a1 , . . . , πm−1 = Lm−1 ⊕ am−1 ,
(17)
and
where a0 , . . . , am−1 , b0 , . . . , bm−1 ∈ Vn , are called dual. In the case when n = 2k, k ∈ N, dual parquets are called centrally dual if dim L0 = dim L1 = · · · = dim Lm−1 = k and m = 2k . Theorem 3. Suppose that n = 2k, k ∈ N, parquets (16) and (17) are centrally dual, k and α0 , α1 , . . . , α2k −1 are vectors such that αi ∈ πi′ = L⊥ i ⊕ ai , i = 0, 1, . . . , 2 − 1. Let ǫ0 , ǫ1 , . . . , ǫ2k −1 ∈ F2 . Then the Boolean function f defined by f (x) =
k 2% −1
i=0
χπi (x)[ αi , x! ⊕ ǫi ]
(18)
is bent. The dual function of f is given by f(x) =
k 2% −1
i=0
χπi′ (x)[ bi , x! ⊕ ǫ′i ],
(19)
O.A. Logachev et al. / Local Affinity of Boolean Mappings
163
where ǫ′i = ǫi ⊕ αi , bi !. Proof. Let u ∈ Vn . Then
Wf (u) =
3 2k −1
(−1)
x∈Vn
=
i=0
χπi (x)[αi ,x⊕ǫi ]⊕u,x
k 2 −1
(−1)αi ,x⊕ǫi ⊕u,x
k 2 −1
(−1)αi ⊕u,y⊕bi ⊕ǫi
i=0 x∈πi
=
i=0 y∈Li
=
k 2 −1
(−1)αi ⊕u,bi ⊕ǫi
i=0
(−1)αi ⊕u,y
x∈Li
k
=
2 −1 i=0 k
=2
(−1)αi ⊕u,bi ⊕ǫi χL⊥ (αi ⊕ u) · 2k i
k −1 2
(u). (−1)αi ⊕u,bi ⊕ǫi χL⊥ i ⊕αi
i=0
′ ⊥ ⊥ Since ai and αi belong to the same flat L⊥ i ⊕ ai , we have Li ⊕ αi = Li ⊕ ai = πi . Hence,
k
Wf (u) = 2
k 2 −1
(−1)αi ⊕u,bi ⊕ǫ χπi′ (u) = 2k (−1)
i=0
3 2k −1
= 2k (−1)
i=0
χπ′ (u)[u,bi ⊕ǫ′i ] i
3 2k −1 i=0
χπ′ (u)[αi ⊕u,bi ⊕ǫi ] i
= 2k (−1)f (u) ,
where ǫ′i = ǫi ⊕ αi , bi !, i = 0, 1, . . . , 2k − 1. Corollary 2. Suppose that the conditions of Theorem 3 hold and L0 = L1 = · · · = L2k −1 = L. Then the bent function f defined in this theorem and its dual function belong to the Maiorana–McFarland class M of bent functions (cf. [7,9]). Proof. Follows immediately from Theorem 3. Lemma 2 ([9]). For any Boolean function f ∈ Fn , any t-dimensional subspace L ⊆ Vn , and any u ∈ Vn , we have 2n−t −1 i=0
f (x)⊕u,x
(−1)
x∈vi ⊕L
2
=
1 2n−t
Wf2 (y),
y∈u⊕L⊥
where v0 = 0, v1 , . . . , v2n−t −1 are certain representatives of cosets L ⊕ v, v ∈ Vn .
(20)
164
O.A. Logachev et al. / Local Affinity of Boolean Mappings
Definition 16. A Boolean function f ∈ Fn is called plateaued of order 2r, 0 ≤ r ≤ n, if Wf2 (u) ∈ {0, 22n−2r } for any u ∈ Vn . Theorem 4. Let f ∈ Fn be a plateaued function of order 2r, 0 ≤ r ≤ n. Then dim π ≤ f (Vn ). n − r for any flat π = v ⊕ L ∈ P
Proof. Put t = dim π = dim L. Choose a function φ : x → u, x! ⊕ ǫ (u ∈ Vn , ǫ ∈ F2 ) such that f |π = φ|π . Consider the member of the sum in the left-hand side of Eq. (20) corresponding to the index i such that vi ⊕ L = v ⊕ L = π:
(−1)f (x)⊕u,x
x∈vi ⊕L
2
=
(−1)ǫ
x∈vi ⊕L
2
= 22t .
Therefore, we have 2t
2
≤
2n−t −1 i=0
f (x)⊕u,x
(−1)
x∈vi ⊕L
2
.
(21)
Estimate the right-hand side of Eq. (20) as follows: 1 2n−t
y∈u⊕L⊥
1
Wf2 (y) ≤
2n−t
≤
2n−t
1
# Sf ∩ u ⊕ L⊥ · 22n−2r · 2n−t · 22n−2r = 22n−2r .
(22)
It follows from (20)–(22) that 22t ≤ 22n−2r and hence dim π = t ≤ n − r. Remark 5. It follows easily from (20) that if a bent function f ∈ Fn , n = 2k, satisfies f |π = c = const, where π is a flat of dimension n/2 = k, then f is balanced on all other flats of the form v ⊕ π, v ∈ Vn . Furthermore, c = f(0).
The class of all bent functions is closed under addition of affine functions and under the action of general affine groups. Therefore it is helpful to consider the closure of a class B of bent functions w.r.t. the above-mentioned operations. We denote this closure by B. The problem of inversion of Boolean mappings is closely related to their local affinity. Relevant examples will be given in the next section.
4. Local Affinity Based Inversion of Boolean Mappings [11,12] First, we define the filter generator FG(χ, f ) based on the linear feedback shift register with a primitive generator polynomial χ(λ) = λn ⊕ χ1 λn−1 ⊕ · · · ⊕ χn−1 λ ⊕ 1 (χ0 = χn = 1) and on a filtering function f ∈ Fn (cf. Figure 2). The linear feedback shift register generates the sequence x = (x0 , x1 , . . . , xN +n−2 )T , N ≤ 2n + n − 1 satisfying the linear recurrence relation
165
O.A. Logachev et al. / Local Affinity of Boolean Mappings
✲ ✐ ✲ ✻ ✛✘
8
✐ ✲ ✐ ✻ ✻ ✛✘ ✛✘ χ2 χ1 ✚✙ ✚✙ ✻n − 2 ✻n − 1 ✛ ✛
χn−1 ✚✙ ✻ 1 0 ✛ ✛
9 x(i) ✛
❄
❄
❄
❄
f 8 (i) 9 y ✛ Figure 2.
0 ✛
8 (i) 9 n−2 n−1 x ✛ ✛ ✛
1 ✛
❄
✛ ❄
❄
❄
f 8
y
9 (i)
✛ Figure 3.
xi = χ1 xi−1 ⊕ · · · ⊕ χn−1 xi−(n−1) ⊕ χn xi−n
(23)
for i = n, n + 1, . . . , N + n − 2. The vector (x)i,n = (xi , . . . , xi+n−1 )T ∈ Vn is called a state of the filter generator. The filter generator is loaded with initial state (or initial vector) (x)0,n = (x0 , . . . , xn−1 )T . It is clear that (x)i+1,n = U (x)i,n , where ⎡ 0 1 ... ⎢0 0 . . . ⎢ ⎢ .. .. . . ⎢ . U = ⎢. . ⎢0 0 . . . ⎢ ⎣0 0 . . . 1 χn−1 . . .
⎤ 0 0⎥ ⎥ .. ⎥ .⎥ ⎥. 1 0⎥ ⎥ 0 1⎦ χ1 1 0 0 .. .
The output sequence of FG(χ, f ) is y = (y0 , . . . , yN −1 )T , where yi = f (xi , . . . , xi+n−1 ) = f U i (x0 , . . . , xn−1 )T ,
i = 0, 1, . . . , N − 1.
Next, we define the shift register SR(f ) with a filtering function f ∈ Fn (cf. Figure 3). For an input sequence x = (x0 , . . . , xN +n−2 )T satisfying (23), the output sequence y = (y0 , . . . , yN −1 )T of SR(f ) is given by
166
O.A. Logachev et al. / Local Affinity of Boolean Mappings
yi = f (xi , . . . , xi+n−1 ),
i = 0, 1, . . . , N − 1.
Let N be a positive integer. Then we put ∗ ∗ (x) = fN (x0 , x1 , . . . , xN +n−2 ) fN
= (f (x0 , . . . , xn−1 ), . . . , f (xN −1 , . . . , xN +n−2 ))T
(24)
T
for any vector x = (x0 , x1 , . . . , xN +n−2 ) ∈ VN +n−1 . 4.1. Pairs of Local Invertibility of Boolean Functions Let A be a Boolean k × m-matrix of rank k, 1 ≤ k ≤ m, and let B be a Boolean l × (m + n − 1)-matrix of rank l, 1 ≤ l ≤ m + n − 1. Furthermore, let a ∈ Vk and b ∈ Vl be vectors such that rank[A|a] = k and rank[B|b] = l. Then we put A = (A, a) and B = (B, b). The pair (A, B) is called a pair of local invertibilty. Moreover, the pair (m, m + n − 1) is called the span of (A, B) and the pair (2m−k , 2m+n−l−1 ) is called its cardinality. For any positive integers m and n denote by Prop(m, n) the set of all pairs of local invertibilty of span (m, m + n − 1). Definition 17. A pair (A, B) ∈ Prop(m, n) is said to be a pair of local invertibilty of a Boolean function f ∈ Fn if ∗ (x) = a =⇒ Bx = b Afm
for any x ∈ Vm+n−1 . Assume that the connection polynomial χ, the filtering function f , and a pair of local invertibilty (A, B) ∈ Prop(m, n) of f are publicly known. The task is to find, given the output sequence y = (y0 , . . . , yN −1 )T ∈ VN of the filter generator FG(χ, f ), a se∗ quence x = (x0 , . . . , xN +n−2 )T ∈ VN +n−1 such that y = fN (x) and recurrence relation (23) holds. To do so, it suffices to find a corresponding initial state (x0 , . . . , xn−1 )T of FG(χ, f ). From (23) it follows that, for any i = 0, 1, . . . , N + n − 2, xi can be expressed in the form xi = ξi (x0 , . . . , xn−1 ),
(25)
where ξi is a linear function in n variables x0 , x1 , . . . , xn−1 . For any s = 0, 1, . . . , N −m, we check the condition A(y)s,m = a, where (y)s,m = (ys , . . . , ys+m−1 )T . If this condition holds, then, by our assumption on (A, B), we have B(x)s,m+n−1 = b. This equation together with (25) give us a system of l linear equations for (x)0,n = (x0 , . . . , xn−1 )T . Note that if m + n ≪ N and 2k ≪ N , then it is plausible that this system of equations has a unique solution.
O.A. Logachev et al. / Local Affinity of Boolean Mappings
167
4.2. Majority Functions [13,14] Let n be an odd positive integer. A Boolean function f ∈ Fn is called the majority function if it is given by 0 if wt(x) ≤ (n − 1)/2, f (x) = 1 if wt(x) ≥ (n + 1)/2.
(26)
n−1 and the This function f is symmetric and balanced. Moreover, Nf = 2n−1 − (n−1)/2 algebraic immunity of f is ⌈n/2⌉ = (n + 1)/2. Since W (e ) = · · · = W (e f 0 f n−1 ) = n−1 , the majority function f is not resilient. (n−1)/2
Lemma 3. Let n be an odd positive integer, m = 2, and k = l = 2. Suppose that f ∈ Fn is the majority function. Then f has pairs of local invertibilty (A1 , B1 ) and (A2 , B2 ), where
10 0 , , A1 = (A1 , a1 ) = 01 1
1 0 ... 0 0 0 B1 = (B1 , b1 ) = , , 0 0 ... 0 1 1
10 1 A2 = (A2 , a2 ) = , , 01 0
1 1 0 ... 0 0 B2 = (B2 , b2 ) = . , 0 0 0 ... 0 1
Proof. Assume that A1 (y)i,2 = a1 for some i, where y is the output vector of SR(f ). Then f (xi , . . . , xi+n−1 ) = 0 and f (xi+1 , . . . , xi+n ) = 1. Using (26), we obtain
and
n−1 wt (xi , . . . , xi+n−1 )T = 2 n+1 . wt (xi+1 , . . . , xi+n )T = 2
(27)
(28)
Eqs. (27) and (28) imply that xi = 0 and xi+n = 1. Hence we have B1 (x)i,n+1 = b1 . The proof for (A2 , B2 ) goes along the same lines. 4.3. Symmetric Boolean Functions [15,16] Definition 18. A Boolean function f ∈ Fn is said to be symmetric if f (x1 , x2 , x3 , . . . , xn ) = f (x2 , x1 , x3 , . . . , xn ) = f (x2 , x3 , . . . , xn , x1 ) for any (x1 , . . . , xn )T ∈ Vn .
168
O.A. Logachev et al. / Local Affinity of Boolean Mappings
Lemma 4. Let f ∈ Fn be a nonconstant symmetric Boolean function. Put m = 2, k = 2, and l = 1. Then f has pairs of local invertibilty (A′1 , B′1 ) and (A′2 , B′2 ), where A′1 = (A′1 , a′1 ) =
10 0 , , 01 1
B′1 = (B1′ , b′1 ) = ((1, 0, . . . , 0, 1), (1)),
10 1 ′ ′ ′ , , A2 = (A2 , a2 ) = 01 0
(29)
B′2 = (B2′ , b′2 ) = ((1, 0, . . . , 0, 1), (1)). Proof. Assume that for some i we have A′1 (y)i,2 = a′1 , i.e., (y)i,2 = (0, 1)T . Here y is the output vector of SR(f ). Then f (xi , . . . , xi+n−1 ) = 0, f (xi+1 , . . . , xi+n ) = 1. Furthermore, if s = wt((x)i,n ) and t = wt((x)i+1,n ), then |s − t| = 1. It is clear that |xi − xi+n | = |s − t| = 1. Hence we get xi = xi+n , i.e., xi ⊕ xi+n = 1. Thus, B1′ (x)i,n+1 = b′1 . The proof for (A′2 , B′2 ) goes along the same lines. Definition 19 ([15]). Let n be an odd positive integer and f ∈ Fn be a symmetric function. We say that f is trivial balanced function if f (x ⊕ 1) = f (1) ⊕ 1 for any x = (x1 , . . . , xn )T ∈ Vn . 4.4. Rotation Symmetric Functions [17,18,19,20] Definition 20. A Boolean function f ∈ Fn is called rotation symmetric if f (x1 , x2 , . . . , xn ) = f (x2 , . . . , xn , x1 ) for any (x1 , . . . , xn )T ∈ Vn . Note that any symmetric Boolean function is rotation symmetric. The proof of the next lemma is similar to the proof of Lemma 4. Lemma 5. Let f ∈ Fn be a nonconstant rotation symmetric Boolean function. Put m = 2, k = 2, and l = 1. Then f has pairs of local invertibilty (A1′ , B′1 ) and (A′2 , B′2 ), where A′1 , B′1 , A′2 , and B′2 are given by (29). 4.5. Minimal Advantage Functions Let n = 2p + 1. A Boolean function f ∈ Fn is called the minimal advantage function if it is given by 1 if wt(x1 ) ≥ wt(x2 ), 1 2 (30) f (x) = f (x , x ) = 0 if wt(x1 ) < wt(x2 ), where x = (x1 , x2 ), x1 = (x0 , . . . , xp−1 )T ∈ Vp , x2 = (xp , . . . , xn−1 )T ∈ Vp+1 . The next proposition can be proved by straightforward calculation. Proposition 5. The minimal advantage function is balanced.
169
O.A. Logachev et al. / Local Affinity of Boolean Mappings
Lemma 6. Let n = 2p + 1, m = 2, k = 2, and l = 1. Suppose that f ∈ Fn is the minimal advantage function. Then f has a pair of local invertibilty (A′′ , B′′ ), where A′′ = (A′′ , a′′ ) =
10 0 , , 01 1
B′′ = (B ′′ , b′′ ) = (0, . . . , 0, 1, 0, . . . , 0), (1)) = (ep , (1)). Proof. Let x = (x0 , . . . , xm+n−2 )T ∈ Vm+n−1 and y = (y0 , . . . , ym−1 )T ∈ Vm be input and output vectors of SR(f ), respectively. Assume that (y)i,2 = (0, 1)T for some i ∈ {0, 1, . . . , m + n − 3}. Then f (x0 , . . . , xp−1 , xp , . . . , xn−1 ) = 0 and f (x1 , . . . , xp , xp+1 , . . . , xn ) = 1. Using (30), we get
If xp = 0, then
wt (x0 , . . . , xp−1 )T < wt (xp , . . . , xn−1 )T , wt (x1 , . . . , xp )T ≥ wt (xp+1 , . . . , xn )T .
(31)
wt (x1 , . . . , xp )T ≤ wt (x0 , . . . , xp−1 )T < wt (xp , . . . , xn−1 )T ≤ wt (xp+1 , . . . , xn )T ,
a contradiction with (31). Hence, xp = 1.
4.6. Local Invertibility and Resettability [12] ∞ Let V = F∞ 2 be the set of all infinite sequences over F2 . We write x = (xi )i=1 for elements of the set V. The subsequences of a sequence x ∈ V are denoted as follows:
1) (x)i,s = (xi , xi+1 , . . . , xi+s−1 )T ∈ Vs , i = 1, 2, . . . , s = 1, 2, . . . ; 2) (x)i,∞ = (xi , xi+1 , . . . , xi+t , . . . ) ∈ V, i = 1, 2, . . . .
Similarly, we put
(x)i,s = (xi , xi+1 , . . . , xi+s−1 )T ∈ Vs ,
1 ≤ i ≤ n, 1 ≤ s ≤ n − i + 1
for a vector x = (x1 , . . . , xn )T ∈ Vn . Let f ∈ Fn . Define a mapping f ∗ : V → V by f ∗ (x) = (f ((x)1,n ) , f ((x)2,n ) , . . . , f ((x)t,n ) , . . . ) ,
x ∈ V.
This mapping is induced by the binary shift register of length n without feedback and by filtering Boolean function f . Definition 21. Let f ∈ Fn . The mapping f ∗ is locally invertible if there exist m ∈ N and y ∈ Vm such that 8 9 (i) D(f ∗ , y) = z ∈ V | (f ∗ )−1 (y, z) = ∅ = ∅; (ii) for any w, w′ ∈ (f ∗ )−1 (y, z) and any z ∈ D(f ∗ , y), we have (w)m+1,∞ = (w′ )m+1,∞ .
170
O.A. Logachev et al. / Local Affinity of Boolean Mappings
The set of all such y is denoted by Inv(f ∗ ). Let ρf (·, ǫ) : Vn → Vn , ǫ = 0, 1, be mappings induced by nonautonomous binary shift register of length n with feedback function f ∈ Fn . These mappings are given by ρf (x, ǫ) = ρf (x1 , . . . , xn )T , ǫ = (x2 , . . . , xn , f (x1 , . . . , xn ) ⊕ ǫ)T , x ∈ Vn , ǫ ∈ F2 .
They can be iterated as follows: ρf (x, u) = ρf (. . . , ρf (ρf (x, u1 ), u2 ), . . . , ul ),
x ∈ Vn , u = (u1 , u2 , . . . , ul )T ∈ Vl
for any positive integer l. Following [21], we define the reversibility a Boolean function. Definition 22. Let f ∈ Fn . We say that a Boolean function f is resettable if there exist l ∈ N and y ∈ Vl such that ρf (x, y) = z(y) for any x ∈ Vn , where z(y) ∈ Vn does not depend on x. Any vector y satisfying this condition is called a resetting sequence of the function f . Proposition 6. A Boolean function f ∈ Fn is resettable iff for any distinct x, x′ ∈ Vn there exist s = s(x, x′ ) ∈ N and y = y(x, x′ ) ∈ Vs such that ρf (x, y) = ρf (x′ , y). Proof. Follows from Definition 22. Theorem 5. Suppose f ∈ Fn+1 has the form f (x1 , . . . , xn , xn+1 ) = g(x1 , . . . , xn ) ⊕ xn+1 ,
(32)
where g ∈ Fn . Then the mapping f ∗ is locally invertible (i.e., Inv(f ∗ ) = ∅) iff the function g is resettable. Proof. Note that the function f is perfectly balanced (cf. [22,23]). Therefore for any sequence z ∈ V we have #(f ∗ )−1 (z) = 2n .
(33)
Moreover, for any b ∈ Vn there exists a sequence x ∈ (f ∗ )−1 (z) such that (x)1,n = b. Assume that f ∗ is locally invertible, i.e., Inv(f ∗ ) = ∅. Hence there exist m ∈ N and y ∈ Vm satisfying the conditions of Definition 21. Let z ∈ D(f ∗ , y) = V. Denote by M (f ∗ , (y, z)) an infinite Boolean matrix whose rows are all sequences x ∈ (f ∗ )−1 ((y, z)) (in arbitrary order): ⎡ 1⎤ ⎡ ⎤ x x11 x12 . . . x1m+1 . . . x1m+n . . . 2 ⎢x ⎥ ⎢ 2 2 x1 x2 . . . x2m+1 . . . x2m+n . . .⎥ ⎢ ⎥ ⎥. (34) M (f ∗ , (y, z)) = ⎢ . ⎥ = ⎢ ⎣ .. ⎦ ⎣ . . n. . . n. . . . . .n. . . . . n. . . . .⎦ 2 2 2 2 n x1 x2 . . . xm+1 . . . xm+n . . . x2
O.A. Logachev et al. / Local Affinity of Boolean Mappings
171
By Eq. 33, the matrix M (f ∗ , (y, z)) has 2n rows. Furthermore, n = Vn . (x1 )1,n , (x2 )1,n , . . . , x2 1,n
Condition (ii) of Definition 21, we have (x1 )m+1,∞ = (x2 )m+1,∞ = · · · = Using n x2 m+1,∞ . Hence, T n n (x1m+1 , . . . , x1m+n )T = (x2m+1 , . . . , x2m+n )T = · · · = x2m+1 , . . . , x2m+n = a.
Moreover,
yi = f (xki , . . . , xki+n ) = g(xki , . . . , xki+n−1 ) ⊕ xki+n
(35)
for any k = 1, 2, . . . , 2n and any i = 1, 2, . . . , m. Using Eq. (35), we get ρg ((xk1 , . . . , xkn ), y) = (xkm+1 , . . . , xkm+n )T = a for any k = 1, 2, . . . , 2n . Thus y is a reverse vector of the function g. Now assume that g is resettable. Then there exist m ∈ N and a reverse vector y ∈ Vm such that ρf (x, y) = b(y)
(36)
for any x ∈ Vn , where b(y) ∈ Vn does not depend on x. Let z ∈ V. By Eq. (33), we have #(f ∗ )−1 (y, z) = 2n . This and Eq. (35) imply that (u)m+1,n = b(y)
(37)
for any u ∈ (f ∗ )−1 (y, z). Let u, u′ ∈ (f ∗ )−1 ((y, z)), u = u′ . Then it follows from (32) and (37) that (u)m+1,∞ = (u′ )m+1,∞ . Example 9. Let f be a Boolean function in Fn such that f (x1 ⊕ 1, . . . , xn ⊕ 1) = f (x1 , . . . , xn ) for any (x1 , . . . , xn )T ∈ Vn . Then the mapping f ∗ is not locally invertible. This follows because f ∗ (x1 ⊕ 1, x2 ⊕ 1, . . . ) = f ∗ (x1 , x2 , . . . ) for any (x1 , x2 , . . . ) ∈ V. Example 10. Let n be an odd positive integer and let g ∈ Fn be the majority function defined in Subsection 4.2. Suppose f ∈ Fn+1 has the form f (x1 , . . . , xn , xn+1 ) = g(x1 , . . . , xn ) ⊕ xn+1 . Then the mapping f ∗ is locally invertible. Example 11. Let h ∈ Fn−1 . Suppose f ∈ Fn+1 has the form f (x1 , . . . , xn+1 ) = x1 ⊕ h(x2 , . . . , xn ) ⊕ xn+1 . Then the mapping f ∗ is not locally invertible.
172
O.A. Logachev et al. / Local Affinity of Boolean Mappings
References [1] W.E. Clark, X.D. Hou, and A. Mihailovs, The Affinity of Permutations of a Finite Vector Space, Tennessee Technological University, Department of Mathematics, Technical Report No. 2004-3, July 2004, p. 25. [2] X.D. Hou, Affinity of Permutations of P2n , Descrete Applied Mathematics 154(2) (2006), 313–325. [3] F.J. MacWilliams and N.J.A. Sloane, The Theory of Error-Correcting Codes, Parts I, II, North-Holland Publishing Company, Amsterdam, New York, Oxford, 1977. [4] M.Y. Buryakov and O.A. Logachev, About the Affinity Level of Boolean Functions, Discrete mathematics 17(4) (2005), 98–107 (in Russian). [5] O.A. Logachev, A Lower Bound on the Affinity Level for Almost All Boolean Functions (to be printed in Russian). [6] O.A. Logachev, A.A. Sal’nikov, and V.V. Yashchenko, Several Characteristics of “Nonlinearity” of Group Mappings, The Discrete Analysis and Operation Research, Series 1 8(1) (2001), 40–54 (in Russian). [7] C. Carlet, P. Charpin, and V. Zinoviev, Codes, Bent Functions and Permutations Suitable for DES-Like Cryptosystems Design, Codes and Cryptography 15 (1998), 125–156. [8] K. Nyberg, S-Boxes and Round Functions with Controllable Linearity and Differential Uniformity, Proc. of FSE’1994, LNCS 1008 (1995), Springer-Verlag, 111–130. [9] O.A. Logachev, A.A. Sal’nikov, and V.V. Yashchenko, Boolean Functions in Coding Theory and Cryptology, MCCME, Moscow, 2004 (in Russian). [10] P.A. Gavrilushkin, The Investigation of Local Affinities of Boolean Functions: Properties of the Filtering Function of the Stream Cipher Lili-128, Term paper, CMC department, Lomonosov University, Moscow, 2007. [11] O.A. Logachev and D.S. Nazarova, Local Affine Based Inversion, Proc. of 2nd International Conference on Security and Countering Terrorism (Moscow, October 25–26, 2006), MCCME, Moscow, 2007, 227– 248 (in Russian). [12] O.A. Logachev, Locally Invertible Boolean Mappings, Cryptology ePrint Archive, Report 2007/307, http://eprint.iacr.org/. [13] M. Lobanov, Tight Bound between Nonlinearity and Algebraic Immunity, Cryptology ePrint Archive, Report 2005/441, http://eprint.iacr.org/. [14] D.K. Dalai, S. Maitra, and S. Sarcar, Basic Theory in Construction of Boolean Functions with Maximum Possible Algebraic Immunity, Cryptology ePrint Archive, Report 2005/229, http://eprint.iacr.org/. [15] A. Canteaut and M. Videau, Symmetric Boolean Functions, IEEE Transaction on Information Theory IT-51(8) (2005), 2791–2811. [16] A. Braeken and B. Preneel, On the Algebraic Immunity of Symmetric Boolean Functions, Proc. of Indocrypt’2005, LNCS 3348 (2004), Springer-Verlag, 120–135. [17] D.K. Dalai, S. Maitra, and P. Stanica, Results on Rotation Symmetric Bent Functions, Cryptology ePrint Archive, Report 2005/118, http://eprint.iacr.org/. [18] P. Ke, Z. Chang, and Q. Wen, Results on Rotation Symmetric Boolean Functions, Cryptology ePrint Archive, Report 2005/130, http://eprint.iacr.org/. [19] A. Maximov, Classes of Plateaud Rotation Symmetric Boolean Functions under Transformation of Walsh Spectra, Cryptology ePrint Archive, Report 2004/354, http://eprint.iacr.org/. [20] S. Kavut, S. Maitra, P. Sarkar, M.D. Yucel. Enumeration of 9-Variable Rotation Symmetric Boolean Functions Having Nonlinearity Greater Than 240, Cryptology ePrint Archive, Report 2006/249, http://eprint.iacr.org/. [21] I.K. Ristsov, Reverse Words of Solvable Automata, Kibernetika i Sistemnii Analis 6 (1994), 21–26 (in Russian). [22] S.N. Sumarokov, Defects of Boolean Functions and Invertability of a Certain Class of Coding Circuits, Obozrenie Prikladnoi i Promyshlennoi Matematiki 1(1) (1994), 33–55 (in Russian). [23] O.A. Logachev, On Perfectly Balanced Boolean Functions, Cryptology ePrint Archive, Report 2007/022, http://eprint.iacr.org/. [24] G. Birkhoff, Lattice Theory, Providence, Rhode Island, 1967. [25] R.P. Stanley, Enumerative Combinatorics, Wadsworth and Brooks/Cole Advanced Books and Software, Monterey, California, 1986.
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-173
173
Boolean Functions on Odd Number of Variables Having Nonlinearity Greater Than the Bent Concatenation Bound Subhamoy MAITRA 1 Indian Statistical Institute, Kolkata, India Abstract. Here we briefly survey the state of the art nonlinearity results for Boolean functions on odd number of input variables having very high nonlinearity. We outline some results on even variable Boolean functions too. Keywords. Boolean function, nonlinearity, Walsh spectrum
Introduction In [1], Patterson and Wiedemann presented Boolean functions on 15-variables with nonlinearity strictly greater than the bent concatenation bound. After more than two decades, in [2], 9-variable functions having nonlinearity exceeding the bent concatenation bound have been demonstrated. Most interestingly, both these constructions rely on the idempotent structure of the Boolean functions. Under the interpretation that a Boolean function is a mapping f : GF(2n ) → GF(2), the functions presented in [1,2,3] are such that f (x2 ) = f (x) for any x ∈ GF(2n ). These functions were studied in [4,5] and referred as idempotents. By fixing any irreducible polynomial of degree n over GF(2), one may interpret the mapping f : GF(2n ) → GF(2) as f : {0, 1}n → {0, 1}. One can use this interpretation to get a Rotation Symmetric Boolean Function (RSBF) from an idempotent by choosing a primitive polynomial of degree n and a normal basis [4]. The RSBFs are studied in great detail recently and it has been found that this sub class of Boolean functions is extremely rich in terms of cryptographic and combinatorial properties [6,7,8,9,3,10,11,12,13,14]. High nonlinearity of a Boolean function is important when it is used as a building block in any cryptographic system. On the other hand nonlinearity of a Boolean function is directly related to the covering radius of first order Reed–Muller codes. It is well known that the maximum possible nonlinearity of an n-variable Boolean function is andF functions with this nonlinearity are called bent 2n−1 − 2n/2−1 for n even [15,16] E functions. The bound 2n−1 − 2n/2−1 is in general not known to be achieved when n is odd. For odd n, one can easily get (balanced) Boolean functions having nonlinearity 2n−1 − 2(n−1)/2 by suitably concatenating two bent functions on (n − 1) variables. That 1 Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata 700 108, India; E-mail: [email protected].
174
S. Maitra / Boolean Functions on Odd Number of Variables
is the reason the nonlinearity value 2n−1 − 2(n−1)/2 for odd n is referred to as bent concatenation bound. For odd n ≤ 7, the maximum nonlinearity of n-variable functions is 2n−1 − 2(n−1)/2 [17,18] and for odd n > 7, the maximum nonlinearity can exceed this bound [1,2,3]. Since balancedness is a useful cryptographic property for a Boolean function, the question of getting balanced Boolean function with high nonlinearity is an important issue. Further it is also combinatorially very interesting. As the bent functions are not balanced, the maximum nonlinearity for n-variable balanced functions for even n must be less than 2n−1 − 2n/2−1 . Denote the maximum nonlinearity for any balanced Boolean function on b-variables by nlb(b). Dobbertin conjectured in [19] that for n even, nlb(n) ≯ 2n−1 − 2n/2 + nlb(n/2). This conjecture still remains unsettled. 1. Preliminaries on Boolean Functions An n-variable Boolean function f is a mapping f : GF(2n ) → GF(2). Another representation of a Boolean function f is a mapping f : {0, 1}n → {0, 1}. This representation is called the truth table representation. Using any basis of GF(2n ), we can express each x ∈ GF(2n ) as an n-tuple (x1 , x2 , . . . , xn ), xi ∈ GF(2), i = 1, . . . , n. Thus we can draw the truth table representation from the former representation. We now concentrate on the truth table representation of a Boolean function which is a 2n length binary string f = [f (0, 0, . . . , 0), f (1, 0, . . . , 0), f (0, 1, . . . , 0), . . . , f (1, 1, . . . , 1)]. The Hamming weight of a binary string T is the number of 1’s in T , denoted by wt(T ). An n-variable function f is said to be balanced if its truth table contains an equal number of 0’s and 1’s, i.e., wt(f ) = 2n−1 . Also, the Hamming distance between two equidimensional binary strings T1 and T2 is defined by d(T1 , T2 ) = wt(T1 ⊕ T2 ), where ⊕ denotes the addition over GF(2). An n-variable Boolean function f (x1 , . . . , xn ) can be considered to be a multivariate polynomial over GF(2). This polynomial can be expressed as a sum of products representation of all distinct k-th order products (0 ≤ k ≤ n) of the variables. More precisely, f (x1 , . . . , xn ) can be written as a0 ⊕
%
1≤i≤n
ai x i ⊕
%
1≤i q. 3. Let K = GF(2t )∗ · GF(2q )∗ be the cyclic subgroup of order (2t − 1)(2q − 1) in GF(2n )∗ . 4. Let φ2 ! be the group of Frobenius automorphisms where φ2 : GF(2n ) → GF(2n ) is defined by x → x2 . 5. Now consider the functions that are invariant under the action of both K and φ2 !. 6. For t = 5, q = 3, such functions have been studied in [1]. 7. After search, functions could be discovered with nonlinearity greater than the bent concatenation bound (16256). 8. Two functions with nonlinearity 16268 and two functions with nonlinearity 16276 could be found (upto affine equivalence). One may look at this construction as described in [23]. 1. Consider f (0) = 0. 15 2. Elements of GF(215 ) are 0, α0 , α1 , . . . , α2 −2 . 3. Take an array of length 215 − 1. Location i (0 to 215 − 2) corresponds to the input αi and the value in the array is the output of the function. 4. The function f is invariant under the action of both K and φ2 !. This means that the inputs will be divided in 11 groups. For all the inputs corresponding to each group, the output is same. 5. It can be checked that the groups are as follows: 1 group containing 217 elements, 10 groups containing 3255 elements each, and f (0) = 0. Note that 1 + 217 + 10 · 3255 = 32768 = 215 . 6. Thus the search effort small: trivially211 as there are only 11 groups. A closer look shows that the search is actually 10 5 . 7. Consider α is a root of x15 + x + 1 to construct the truth table of f when interpreting the function as a mapping {0, 1}n → {0, 1}. The functions that are invariant under the action of the group of Frobenius automorphisms φ2 ! are referred as idempotents [4,5] and they can be interpreted as Rotation Symmetric Boolean Functions (RSBFs). In [5] the idempotents were studied for n = 9 taking the motivation from [1]. However, the search was not exhaustive and mostly to-
S. Maitra / Boolean Functions on Odd Number of Variables
179
wards studying the balanced functions; that is the reason the functions with nonlinearity more than 240 could not be discovered. In [2], a heuristic search in the class of 9-variable RSBF produced 9-variable Boolean functions having nonlinearity 241. The functions reported in [2] are discovered using a suitably modified steepest-descent based iterative heuristic search in the RSBF class. Later Kavut, Maitra, Sarkar, Yücel [3] searched the complete space of 9-variable RSBFs efficiently and found that 241 is the maximum nonlinearity in that class. There are 8 × 189 many functions in the 9-variable RSBF class with nonlinearity 241 and there are only two different functions up to the affine equivalence. Dihedral group is a subgroup of the Symmetric group and it contains the Cyclic group as a subgroup. A Boolean function, which is invariant under the action of Dihedral group is called Dihedral Symmetric Boolean Function (DSBF). Thus the set of DSBFs is a subset of the set of RSBFs. In [24] it has been noted that there are 9-variable DSBFs having nonlinearity 241. Recently, in [22], 9-variable Boolean functions having nonlinearity 242 has been reported. The technique used heuristic search over some suitable extensions of RSBF and DSBF classes. Next we concentrate on nonlinearity of balanced functions. First we note the cases when n is even. A function f is balanced iff Wf (0) = 0. Bent functions are not balanced as Wf (0) = ±2n/2 = 0. For n even we list the number of variables and the maximum possible nonlinearity of balanced functions for a few cases as: (2, 0), (4, 4), (6, 26). However, the question is open for 8 variables onwards. Dobbertin conjectured [19] that nlb(n) ≯ 2n−1 − 2n/2 + nlb(n/2) when nlb(·) is the maximum possible nonlinearity of a balanced function on n variables for n even. The conjecture is still open. For 8, 10 variables, the open question turns out to be the construction of balanced functions having nonlinearity 118, 494 respectively. Next we describe the existing balanced nonlinearity results for odd n. The 15variable PW functions were used as a black box in [25] to construct balanced functions on odd number of input variables (≥ 29) having nonlinearity greater than bent concatenation bound. However, the internal structure of the PW functions were not studied in [25]. In [26,27] the internal structure of the PW functions have been modified to get improved results upon [25] in terms of nonlinearity for balanced functions on odd number (≥ 15) of input variables. The idea of [26,27] was as follows. Take n = 15. Consider the truth table of a PW function f as a mapping from {0, 1}n → {0, 1}. One can easily check that there are 3255 many points ω ∈ {0, 1}n where the value of the Walsh spectrum Wf (ω) = 40. Now consider a function g = f ⊕ ω · x. Clearly Wg (0) = 40 and one needs to toggle 20 output bits from 0 to 1 to achieve balancedness. The idea of [26,27] was to divide the 2n -bit long truth table of g in 20 (almost) equal contiguous parts and selecting a random 0 bit from each part and toggle that to 1. Thus the modified function from g becomes balanced and in some of the cases the reduction in nonlinearity was less than 20. That provided the nonlinearity greater than the bent concatenation bound. Though the simple method provided nice results, it was only a heuristic and the idempotent structure of the PW functions were not exploited at all. The idempotent structure of the PW functions have been studied in details in [28]. In this paper the neighbourhood of 15-variable Patterson–Wiedemann (PW) functions is
180
S. Maitra / Boolean Functions on Odd Number of Variables
studied. The idempotent structure of the PW functions is interpreted as Rotation Symmetric Boolean Functions (RSBFs). Then techniques are presented to modify these RSBFs to introduce zeros in the Walsh spectra of the modified functions with minimum reduction in nonlinearity. The technique of [28] demonstrates 15-variable balanced functions with currently best known nonlinearity 16272. The 9-variable functions with nonlinearity 242 reported in [22] cannot be made balanced keeping the nonlinearity greater than 240. However, using these functions, in [29], balanced Boolean functions on 13-variables having nonlinearity strictly greater than the Bent concatenation bound have been reported. The technique used similar heuristic search ideas as in [26,27]. 3. Conclusion and Open Questions The study of Boolean functions with very high nonlinearity is an important area of research. This has implications to cryptography as well as coding theory. Recent results show that to get functions with record nonlinearities one needs to understand the combinatorial properties to reduce the search space and then to go for exhaustive or heuristic search in that space. It will be a major development in this area if further theoretical understanding can be achieved to construct these functions instead of search. We now list a few open questions in this direction. For even number of variables: 1) characterization of bent functions for 8 and more number of variables; 2) to prove or disprove Dobbertin’s conjecture for balanced functions; in particular to find 8 (respectively 10) variable balanced functions having nonlinearity 118 (respectively 494) or to show they cannot exist. For odd number of variables: 1) to find 9-variable Boolean functions having nonlinearity greater than 242; to find 9-variable balanced Boolean functions having nonlinearity greater than or equal to 242; 2) to study the RSBF classes for 11 and 13 variables directly for functions having nonlinearity greater than bent concatenation bounds; 3) to study the 15 variable functions for nonlinearity greater than 16276. Acknowledgements The author likes to acknowledge the committee members of the conference “Boolean Functions in Cryptology and Information Security” organized by NATO Advanced Study Institute during September 8–18, 2007, at Zvenigorod (near Moscow), Russia for their nice cooperation and hospitality. References [1] N.J. Patterson and D.H. Wiedemann, The covering radius of the (215 , 16) Reed–Muller code is at least 16276, IEEE Transactions on Information Theory IT-29(3) (1983), 354–356. See also the correction in IEEE Transactions on Information Theory IT-36(2) (1990), 443.
S. Maitra / Boolean Functions on Odd Number of Variables
181
[2] S. Kavut, S. Maitra, and M.D. Yücel, Search for Boolean Functions with Excellent Profiles in the Rotation Symmetric Class, IEEE Transactions on Information Theory 53(5) (2007), 1743–1751. An earlier version of this paper is available as “There exist Boolean functions on n (odd) variables having n−1
[3]
[4]
[5] [6] [7]
[8]
[9]
nonlinearity > 2n−1 − 2 2 if and only if n > 7”, Cryptology ePrint Archive, Report 2006/181, http://eprint.iacr.org/. S. Kavut, S. Maitra, S. Sarkar, and M.D. Yücel, Enumeration of 9-variable Rotation Symmetric Boolean Functions having Nonlinearity > 240, Proc. of INDOCRYPT’2006, Lecture Notes in Computer Science 4329 (2006), Springer-Verlag, 266–279. E. Filiol and C. Fontaine, Highly nonlinear balanced Boolean functions with a good correlationimmunity, Proc. of EUROCRYPT’98, Lecture Notes in Computer Science 1403 (1998), Springer-Verlag, 475–488. C. Fontaine. On some cosets of the First-Order Reed–Muller code with high minimum weight. IEEE Transactions on Information Theory IT-45(4) (1999), 1237–1243. T.W. Cusick and P. St˘anic˘a, Fast Evaluation, Weights and Nonlinearity of Rotation-Symmetric Functions, Discrete Mathematics 258 (2002), 289–301. D.K. Dalai, S. Maitra, and S. Sarkar, Results on rotation symmetric Bent functions. Proc. of Second International Workshop on Boolean Functions: Cryptography and Applications (BFCA’06), Publications of the universities of Rouen and Havre, 137–156, 2006. M. Hell, A. Maximov, and S. Maitra, On efficient implementation of search strategy for rotation symmetric Boolean functions. Proc. of Ninth International Workshop on Algebraic and Combinatorial Coding Theory (ACCT’2004), Black Sea Coast, Bulgaria, 2004. S. Kavut, S. Maitra, and M.D. Yücel, Autocorrelation spectra of balanced Boolean functions on odd n+1
[10]
[11]
[12] [13]
[14]
[15] [16] [17] [18] [19]
[20] [21] [22]
[23]
number input variables with maximum absolute value < 2 2 , Proc. of Second International Workshop on Boolean Functions: Cryptography and Applications (BFCA’06), Publications of the universities of Rouen and the Havre, 73–86, 2006. A. Maximov, M. Hell, and S. Maitra, Plateaued Rotation Symmetric Boolean Functions on Odd Number of Variables, Proc. of First Workshop on Boolean Functions: Cryptography and Applications (BFCA’05), Publications of the universities of Rouen and Havre, 83–104, 2005. A. Maximov, Classes of Plateaued Rotation Symmetric Boolean functions under Transformation of Walsh Spectra, Proc. International Workshop on Coding and Cryptography 2005, 325–334. See also Cryptology ePrint Archive, Report 2004/354, http://eprint.iacr.org/. J. Pieprzyk and C.X. Qu, Fast Hashing and Rotation-Symmetric Functions, Journal of Universal Computer Science 5 (1999), 20–31. P. St˘anic˘a and S. Maitra, Rotation Symmetric Boolean Functions—Count and Cryptographic Properties, Proc. of R.C. Bose Centenary Symposium on Discrete Mathematics and Applications, 2002, Electronic Notes in Discrete Mathematics 15, Elsevier. P. St˘anic˘a, S. Maitra, and J. Clark, Results on Rotation Symmetric Bent and Correlation Immune Boolean Functions, Proc. of Fast Software Encryption Workshop (FSE’2004), Lecture Notes in Computer Science 3017 (2004), Springer Verlag, 161–177. J.F. Dillon, Elementary Hadamard Difference sets, Ph.D. Thesis, University of Maryland, 1974. O.S. Rothaus, On bent functions, Journal of Combinatorial Theory, Series A 20 (1976), 300–305. E.R. Berlekamp and L.R. Welch, Weight distributions of the cosets of the (32, 6) Reed–Muller code, IEEE Transactions on Information Theory IT-18(1) (1972), 203–207. J.J. Mykkeltveit, The covering radius of the (128, 8) Reed–Muller code is 56, IEEE Transactions on Information Theory IT-26(3) (1980), 359–362. H. Dobbertin, Construction of Bent Functions and Balanced Boolean Functions with High Nonlinearity, Proc. of Fast Software Encryption (FSE’1994), Lecture Notes in Computer Science 1008 (1994), Springer-Verlag, 61–74. X. Hou, Covering radius of the Reed–Muller code R(1, 7)—a simpler proof, Journal of Combinatorial Theory, Series A 74(3) (1996), 337–341. P. Langevin and J.-P. Zanotti, Nonlinearity of some invariant Boolean functions, Designs, Codes and Cryptography 36(2) (2005), 131–146. S. Kavut and M.D. Yücel, Generalized Rotation Symmetric and Dihedral Symmetric Boolean Functions—9 Variable Boolean Functions with Nonlinearity 242, Proc. of AAECC-17, Lecture Notes in Computer Science4851 (2007), Springer-Verlag, 321–329. S. Gangopadhyay, P.H. Keskar, and S. Maitra, Patterson–Wiedemann Construction Revisited, Discrete
182
[24]
[25]
[26]
[27]
[28]
[29]
S. Maitra / Boolean Functions on Odd Number of Variables
Mathematics 306(14) (2006), 1540–1556. A special issue containing selected papers from “R.C. Bose Centennial Symposium on Discrete Mathematics and Applications”, December 2002. S. Maitra, S. Sarkar, and D.K. Dalai, On Dihedral Group Invariant Boolean Functions, Proc. of Third International Workshop on Boolean Functions: Cryptography and Applications (BFCA’07), May 2–3, 2007, Paris, France. J. Seberry, X.M. Zhang, and Y. Zheng, Nonlinearly balanced Boolean functions and their propagation characteristics, Proc. of CRYPTO’93, Lecture Notes in Computer Science 773 (1994), Springer-Verlag, 49–60. P. Sarkar and S. Maitra, Construction of nonlinear Boolean functions with important cryptographic properties, Proc. of EUROCRYPT’2000, Lecture Notes in Computer Science 1807 (2000), Springer Verlag, 485–506.. S. Maitra and P. Sarkar, Modifications of Patterson–Wiedemann functions for cryptographic applications, IEEE Transactions on Information Theory 48(1) (2002), 278–284. This paper is based on certain portions of [26]. S. Sarkar and S. Maitra, Idempotents in the Neighbourhood of Patterson–Wiedemann Functions having Walsh Spectra Zeros, accepted in Designs, Codes and Cryptography. An earlier version appears in Proc. of WCC’2007, International Workshop on Coding and Cryptography, April 16–20, 2007, Versailles, France, 351–360. A detailed version is available at Cryptology ePrint Archive, Report 2007/427, http://eprint.iacr.org/. S. Maitra, Balanced Boolean Function on 13-variables Having Nonlinearity Strictly Greater Than the Bent Concatenation Bound, Cryptology ePrint Archive, Report 2007/309, http://eprint.iacr.org/.
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-183
183
Decimation Based Algebraic and Correlation Attacks and Design of Boolean Functions Miodrag J. MIHALJEVIC´ 1 Mathematical Institute, Serbian Academy of Sciences and Arts, Belgrade, Serbia and National Institute of Advanced Industrial Science and Technology, Tokyo, Japan Abstract. Security evaluation techniques relevant for some models of stream ciphers based on linear feedback shift registers and Boolean functions are addressed. The article points out to some recently developed advanced algebraic and correlation attacks and their implications regarding design of secure Boolean functions. The considered cryptanalytic approaches are based on appropriately decimated sample resulting into conversion of certain Boolean functions into the weaker ones. Keywords. Stream cipher, algebraic attack, fast correlation attack, Boolean function, design criterion
Introduction Boolean functions are common elements of a number of cryptographic primitives and design requirements for Boolean function depend on the attacks they should resists. Particularly, Boolean functions are design components of different keystream generators for stream ciphers. On the other hand two generic attacking approaches on certain stream ciphers are algebraic and fast correlation attacks. These attacks imply corresponding guidelines for design of appropriate Boolean functions. This article points out to certain algebraic and correlation attack techniques for cryptanalysis of some keystream generators which employ a Boolean function as an output mapping of the sequences generated by linear shift registers (see [1], for example) and more generally linear finite state machines. Algebraic attacks have appeared as a powerful tool for cryptanalysis and security evaluation of certain encryption schemes and particularly stream ciphers including the nonlinear filter based keystream generators. Some early algebraic attacks on stream and related ciphers have been reported in [2] as well as in [3] and [4]. Very recently, a number of algebraic attacks have been reported in [5,6,7,8,9,10]. 1 Mathematical Institute, Serbian Academy of Sciences and Arts, Belgrade, Serbia and Research Center for Information Security (RCIS), National Institute of Advanced Industrial Science and Technology (AIST), Tokyo, Japan; E-mail: [email protected].
184
M.J. Mihaljevi´c / Decimation Based Algebraic and Correlation Attacks
All contemporary correlation attacks originate from [11] where this cryptanalytic approach was introduced, and [12] where the first fast correlation attack algorithm was proposed. The fast correlation attack is usually modeled as the problem of recovering a LFSR initial state when its output sequence is observable via a binary symmetric channel (BSC) with crossover probability equal to p. The modeling of a BSC is a consequence of the linearization of the keystream generator. Accordingly, the fast correlation attack can be addressed as the decoding of an appropriate code related to the LFSR output sequence. As underlying codes, certain block and convolutional codes have been considered, and the employed decoding techniques include two main approaches: one pass decoding and iterative decoding. The reported iterative block decoding approaches include [13,14], and the non-iterative approaches include those reported in [15] and [16], for example. The most efficient techniques include a search over all hypotheses on a subset of the information bits. The convolutional code based approaches for fast correlation attack have been considered in a number of papers including the ones recently reported in [17] and [18]. Main goal of this article is to point out to certain recently developed algebraic and fast correlation attack reported in [10,19,20] which imply additional design requests on Boolean functions. The rest of this article is organized as follows. The model of the keystream generators under consideration is discussed in Section 1, and certain preliminaries are given in Section 2. The framework for the dedicated decimation based cryptanalysis employing algebraic and fast correlation attack approaches is given in Section 2. Following this framework, the algebraic and fast correlation attacks relevant for Boolean functions design guidelines are considered in Sections 4 and 5, respectively. Section 6 yields some illustrative numerical examples, and concluding discussion is given in Section 7.
1. Model of the Keystream Generators Under Consideration 1.1. Preliminaries An m-variable Boolean function f (x1 , x2 , . . . , xm ) can be considered as a multivariate polynomial over GF(2). This polynomial can be expressed as a sum of products of all distinct r-th order products (0 ≤ r ≤ m) of the variables as follows: f (x1 , x2 , . . . , xm ) =
%
u∈GF(2m )
λu
m 0
xui i ,
i=1
λu ∈ GF(2), u = (u1 , u2 , . . . , um )
or f (x1 , x2 , . . . , xm ) = a0 ⊕
%
1≤i≤m
ai x i ⊕
%
aij xi xj
1≤i N
Remark 2. According to the results presented in [23] for given p∗ and w, the required number M ∗ of parity checks can be estimated as O((1 − 2p∗ )−2w ). Regarding the parameter w see [15,16] for the trade-off between the required sample size and preprocessing/processing complexity. Remark 3. For each i = B + 1, B + 2, . . . , L, the expected cardinality of Ωi (B) is 2−w |Ωi |, and so the expected cardinality of Ωi should be 2w M ∗ .
Accordingly, the structure of the proposed fast correlation attack implies the following statements. Proposition 5. When Assumption 2 holds, the expected sample N ∗ required for the B−L ∗ proposed fast correlation attack satisfies 2B−L (L − B) 2 w N > 2wM ∗ implying −1 ∗ that required length of N ∗ is O 2L−B+w (L−B−log2 (L−B)+w+log2 M ) .
Proposition 6. When Assumption 2 holds, the expected time complexity of the proposed ∗ fast correlation attack pre-processing is O 2L−B+log2 (L−B)+w+log2 M .
Proposition 7. When Assumption 2 holds, the expectedtime complexity of the proposed fast correlation attack processing is O (L − B)2B M ∗ .
Proposition 8. When Assumption 2 holds, the expected space complexity of the proposed fast correlation attack processing is O((L − B)2w M ∗ ). According to Propositions 5–7, Table 2 summarizes the performance of the proposed Algorithm II and compares it with the related previously reported algorithm.
6. Illustrative Example This section points out the performance of the considered algorithms in a particular illustrative case where the keystream generator from Figure 1 is specified as follows: (i) the employed LFSM is a linear feedback shift register of length L = 89 with the following feedback (primitive) polynomial x89 ⊕ x83 ⊕ x80 ⊕ x55 ⊕ x53 ⊕ x42 ⊕ x39 ⊕ x + 1. (the same LFSR as the one employed in LILI-128 stream cipher, [24]);
196
M.J. Mihaljevi´c / Decimation Based Algebraic and Correlation Attacks
Table 3. Numerical comparison of the requirements for cryptanalysis of the considered nonlinear filter keystream generator with (89-bit secret key) employing the proposed algebraic attack and the algebraic attack based on results reported in [6,8,9] assuming in the second case that the algebraic degree is d = 3 instead the initial d = 4 due to the transformation f ′ (·) = (x2 ⊕ 1)f (·) pre-processing time complexity
processing time complexity
required sample
required memory for processing
algebraic attack based on results reported in [6,8,9]
∼ 245
∼ 230
∼ 217
∼ 230
proposed Algorithm I, B = 34
∼ 257
∼ 224
∼ 257
∼ 239
(ii) the employed nonlinear function is the following particular instance of Boolean functions with “generalized cryptographic properties” recently reported in [21]: f (x1 , x2 , x3 , x4 , x5 ) = x2 x3 x4 x5 ⊕ x1 x2 x3 ⊕ x1 x4 ⊕ x3 x5 ⊕ x1 ⊕ x2 ; (iii) the arguments x1 , x2 , x3 , x4 , x5 of the considered function f (·) are determined by the LFSR state elements from the positions 0, 1, 3, 30, 65, respectively (which correspond to a subset of the positions {0, 1, 3, 7, 12, 30, 44, 65, 80} involved from the LFSR in LILI-128 stream cipher [24]). The considered keystream generator is cryptanalyzed employing the approaches given in Sections 4 and 5 within the following scenarios: • We employ the proposed algebraic attack (Algorithm I) targeting the case when the arguments x2 and x3 are equal to zero implying that g(·) = 0 and accordingly f (·) = x1 . • The proposed fast correlation attack (Algorithm II) is employed targeting the case when the argument x3 is equal to zero implying that g(·) = x1 (x4 ⊕ 1) can be approximated by zero with p∗ = 0.25 (instead of p = 0.391875 which is introduced by the straightforward linearization of f (·)) and accordingly f (·) = x2 ⊕ e where e is a realization of a random variable E such that Pr(E = 1) = p∗ = 0.25. Regarding the sample required for the mounted algebraic attack, note the following: Due to employment of LFSR as LFSM and according to Proposition 4 [10], in the considered particular case, a much shorter sample is required than in a general case— Proposition 4 [10] implies that the required sample is O 2L−B+2Δ where Δ = 4 corresponding to the arguments x1 , x2 and x3 at the positions 0, 1 and 3 of the LFSR state. According to Propositions 1–8 in the considered particular case, Tables 3 and 4 summarize the complexities of the proposed algorithms and compare them with related previously reported algorithms. In general, the proposed approach reduces the processing time, but requires a much longer sample.
M.J. Mihaljevi´c / Decimation Based Algebraic and Correlation Attacks
197
Table 4. Numerical comparison of the requirements for cryptanalysis of the considered nonlinear filter keystream generator (with 89-bit secret key) employing the proposed fast correlation attack and related previously reported fast correlation attack pre-processing time complexity
processing time complexity
required sample
required memory for processing
fast correlation attack [14], B = 43, w = 3
∼ 264
∼ 263
∼ 219
∼ 219
proposed Algorithm II, B = 43, w = 3
∼ 260
∼ 257
∼ 260
∼ 214
7. Concluding Discussion This article points out to some recently developed advanced algebraic and correlation attacks and their implications regarding design of secure Boolean functions. A common characteristics of the discussed algorithms is that they perform cryptanalysis based on a conversion of the employed Boolean function into another one which provides opportunities for more efficient cryptanalysis. This conversion appears as a consequence of a proper decimation of the available sample in such a way that the selected keystream bits correspond to the vectorial inputs, of the Boolean functions, with a special characteristic as follows: Certain element (or in a general case more than one element) of the input vector are equal to zero. Accordingly, the main objective is to identify an appropriate sample decimation so that one of the following two goals is achieved: (a) at the decimated points, the algebraic degree of the modified Boolean function is (heavily) decreased; (b) at the decimated points, the function reduces to a nonlinear one which can be approximated by a linear one introducing the noise which is much smaller than the noise implied by a direct linearization of the original Boolean function. In the case when the goal (a) can be achieved, instead of employing just a straightforward algebraic attack assuming the original Boolean function, the considered approach takes into account certain (suitable) characteristics of the linear part which provide a possibility of dealing with a modified Boolean function with a lower algebraic degree. In the case when the goal (b) is achieved, instead of employing just a straightforward linearization of the original Boolean function, the considered approach takes into account certain (suitable) characteristics of the linear part so that the original Boolean function is converted into another one which provides a possibility for establishing relevant linear equations corrupted by a lower noise. Consequently, the recovery of the secret key via the correlation decoding approach becomes easier. The required decimation is based on the consideration of the state-transition matrix powers in order to find the ones which provide that the all zero pattern appears at prespecified positions as depicted in Figure 3. Efficiency of the attacks depend on certain characteristics of the employed Boolean function, and consequently the attacks imply certain design guidelines in order to make the function resistant against the decimation based attacks: They imply that not only the algebraic and correlation characteristics of a given Boolean function appear as the relevant ones but also “stability” of these characteristics after certain modifications of the considered Boolean function.
198
M.J. Mihaljevi´c / Decimation Based Algebraic and Correlation Attacks
Accordingly, the design of a Boolean function should take into account the following: • Correlation immunity of a modifications of Boolean functions obtained from the original one by setting any of the inputs (or a subset of inputs) to a constant value. • Algebraic (degree) immunity of a modifications of Boolean functions obtained from the original one by setting any of the inputs (or a subset of inputs) to a constant value. A straightforward way for evaluation of the above requirements is a step-by-step consideration of related characteristics of all possible relevant modifications of the initial Boolean function, and development of more sophisticated approaches still appears as an open issue.
References [1] A. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Roton, 1997. [2] N.T. Courtois, Higher order correlation attacks, XL algorithm and cryptanalysis of Toyocrypt, Proc. of ICISC 2002, Lecture Notes in Computer Science 2587 (2003), 182–199. [3] M.J. Mihaljevi´c and H. Imai, Cryptanalysis of TOYOCRYPT-HS1 stream cipher, IEICE Transactions on Fundamentals E85-A (2002), 66–73. [4] M.J. Mihaljevi´c and R. Kohno, Cryptanalysis of fast encryption algorithm for multimedia FEA-M, IEEE Communcations Letters 6 (2002), 382–384. [5] N.T. Courtois and W. Meier, Algebraic attacks on stream ciphers with linear feedback, Proc. of EUROCRYPT 2003, Lecture Notes in Computer Science 2656 (2003), 345–359. [6] N.T. Courtois, Fast algebraic attacks on stream ciphers with linear feedback, Proc. of CRYPTO 2003, Lecture Notes in Computer Science 2729 (2003), 176–194. [7] W. Meier, E. Pasalic, and C. Carlet, Algebraic attacks and decomposition of Boolean functions, Proc. of EUROCRYPT 2004, Lecture Notes in Computer Science 3027 (2004), 474–491. [8] F. Armknecht, Improving fast algebraic attacks, Proc. of FSE 2004, Lecture Notes in Computer Science 3017 (2004), 65–82. [9] P. Hawkes and G. Rose, Rewriting variables: the complexity of Fast algebraic attacks on stream ciphers, Proc. of CRYPTO 2004, Lecture Notes in Computer Science 3152 (2004), 390–406. [10] M.J. Mihaljevi´c and H. Imai, The decimated sample based improved algebraic attacks on the nonlinear filters, Proc. of SCN 2004, Lecture Notes in Computer Science 3352 (2005), 310–323. [11] T. Siegenthaler, Decrypting a class of stream ciphers using ciphertext only, IEEE Transactions on Computers C-34 (1985), 81–85. [12] W. Meier and O. Staffelbach, Fast correlation attacks on certain stream ciphers, Journal of Cryptology 1 (1989), 159–176. [13] M.J. Mihaljevi´c, M.P.C. Fossorier, and H. Imai, On decoding techniques for cryptanalysis of certain encryption algorithms, IEICE Transactions on Fundamentals E84-A (2001), 919–930. [14] M.J. Mihaljevi´c and J.Dj. Goli´c, A method for convergence analysis of iterative probabilistic decoding, IEEE Transactions on Information Theory 46 (2000), 2206–2211. [15] M.J. Mihaljevi´c, M.P.C. Fossorier, and H. Imai, Fast correlation attack algorithm with list decoding and an application, Proc. of FSE 2001, Lecture Notes in Computer Science 2355 (2002), 196–210. [16] P. Chose, A. Joux, and M. Mitton, Fast correlation attacks: An algorithmic point of view, Proc. of EUROCRYPT 2002, Lecture Notes in Computer Science 2332 (2002), 209–221. [17] T. Johansson and F. Jonsson, Theoretical analysis of a correlation attack based on convolutional codes, IEEE Trans. Information Theory 48 (2002), 2173–2181. [18] H. Molland, J.E. Mathiassen, and T. Helleseth, Improved fast correlation attack using low rate codes, Proc. of Cryptography and Coding 2003, Lecture Notes in Computer Science 2898 (2003), 67–81.
M.J. Mihaljevi´c / Decimation Based Algebraic and Correlation Attacks
199
[19] M.J. Mihaljevi´c, M.P.C. Fossorier, and H. Imai, Cryptanalysis of keystream generator by decimated sample based algebraic and fast correlation attacks, Proc. of INDOCRYPT 2005, Lecture Notes in Computer Science 3707 (2005), 155–168. [20] M.J. Mihaljevi´c, M.P.C. Fossorier, and H. Imai, A general formulation of algebraic and fast correlation attacks based on dedicated sample decimation, Proc. of AAECC 2006, Lecture Notes in Computer Science 3857 (2006), 203–214. [21] A. Braeken, V. Nikov, S. Nikova, and B. Preneel, On Boolean functions with generalized cryptographic properties, Proc. of INDOCRYPT 2004, Lecture Notes in Computer Science 3348 (2004), 120–135. [22] M.P.C. Fossorier, M.J. Mihaljevi´c, H. Imai, Y. Cui, and K. Matsuura, An algorithm for solving the LPN problem and its application to security evaluation of the HB Protocols for RFID authentication, Proc. of INDOCRYPT 2006, Lecture Notes in Computer Science 4329 (2006), 48–62. [23] M.P.C. Fossorier, M.J. Mihaljevi´c, and H. Imai, Modeling block encoding approaches for fast correlation attack, IEEE Transactions on Information Theory, accepted for publication. [24] L. Simpson, E. Dawson, J.Dj. Goli´c, and W. Millan, LILI Keystream Generator, Proc. of SAC 2000, Lecture Notes in Computer Science 2012 (2001), 248–261. [25] M.P.C. Fossorier, M.J. Mihaljevi´c, and H. Imai, Decimation based fast correlation attack, Proc. of 2007 IEEE Int. Symp. Inform. Theory (ISIT’2007), Nice, France, June 24–29, 2007, 456–460.
200
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-200
Constructing Families of Latin Squares over Boolean Domains Valentin A. NOSOV Lomonosov University, Moscow, Russia Abstract. We construct families of Latin squares over Boolean n-tuples. This construction uses representation of Latin squares by families of Boolean functions. In this connection we study a new property of Boolean functions called properness. For these families of functions we prove classifying results.
Introduction Latin squares is an important object in mathematics and cryptology and have numerous applications in cryptographic practice. Using Latin squares, one can construct ciphers that are called perfect according to theory of Shannon [1]. But in most cipher standards Latin squares are fixed, while changeability of Latin squares may raise the level of information security. There are many directions of research in the theory of Latin squares and the main emphasize is on approaches to constructing families of Latin squares under some conditions. Practicality of Latin squares in computer cipher systems requires them to have high dimension and to be changeable. Therefore it is convenient to specify a Latin square analytically and parametrically by a function of two variables that, given a number of row and a number of column, determines the element of the square. Latin square over a set S is an n × n table, where n = |S|, consisting of elements of S such that in each row and each column all elements are different. There are many applications of Latin squares in coding theory and cryptology, the origins come back to [1,2]. In the literature one can find a lot of representations of Latin squares in a table form, but all these representations are inapplicable in the case of a large n. In the present paper we represent some results related to analytic form construction of Latin squares over a set S, S been a set of Boolean n-tuples.
1. Main Results Let Bn be the set of binary n-tuples. In this case Latin square over Bn may be determined by a family of n Boolean functions
V.A. Nosov / Constructing Families of Latin Squares over Boolean Domains
201
f1 (x1 , . . . , xn , y1 , . . . , yn ), f2 (x1 , . . . , xn , y1 , . . . , yn ), ...
(1)
fn (x1 , . . . , xn , y1 , . . . , yn ) in 2n variables each, where a tuple (x1 , . . . , xn ) specifies a number of a row, while a tuple (y1 , . . . , yn ) specifies a number of a column. A tuple (f1 , . . . , fn ) determines the corresponding element of the square. Using certain results on the regularity of families of Boolean functions [3], it is easy to prove the next theorem. Theorem 1. A family of n Boolean functions f1 , . . . , fn in 2n variables x1 , . . . , xn , y1 , . . . , yn determines a Latin square iff the following holds: • if one takes any product fi1 , . . . , fik , 1 ≤ i1 < · · · < ik ≤ n, then its algebraic normal form does not contain terms including either x1 . . . xn or y1 . . . yn ; • the product f1 . . . fn contains both this terms and no other term containing either of them. This theorem does not provide an effective method of constructing the required functions, but may be useful for finding sufficient conditions. Now we turn to parametrization of families of Latin squares. Take a family of Boolean functions g = (g1 (z1 , . . . , zn ), . . . , gn (z1 , . . . , zn ))
(2)
in n variables z1 , . . . , zn . Let π1 (x1 , y1 ), . . . , πn (xn , yn )
(3)
be a system of two-variable Boolean functions. Let a system of Boolean functions f1 , . . . , fn in 2n variables x1 , . . . , xn , y1 , . . . , yn be defined by relations: f1 = x1 + y1 + g1 (π1 (x1 , y1 ), . . . , πn (xn , yn )), f2 = x2 + y2 + g2 (π1 (x1 , y1 ), . . . , πn (xn , yn )), ...
(4)
fn = xn + yn + gn (π1 (x1 , y1 ), . . . , πn (xn , yn )) Now we recall the definition from [4]. A family of Boolean functions g = (g1 , . . . , gn ) is proper if for any pair of distinct n-tuples of variables z ′ = (z1′ , . . . , zn′ ) and z ′′ = (z1′′ , . . . , zn′′ ) there exists α ∈ 1, n such that the next relation holds: zα′ = zα′′ ,
gα (z1′ , . . . , zn′ ) = gα (z1′′ , . . . , zn′′ ).
(5)
Theorem 2. A system of Boolean functions f1 , . . . , fn of the form (4) determines a Latin square for any system of two-variable Boolean functions π1 , . . . , πn if and only if the family g = (g1 , . . . , gn ) is proper.
202
V.A. Nosov / Constructing Families of Latin Squares over Boolean Domains
Proof. Let there exist two-variable Boolean functions π1 , . . . , πn and a family of functions f1 , . . . , fn of the form (4) that do not determine a Latin square. Then we have f1 (x′1 , . . . , x′n , y1 , . . . , yn ) = f1 (x′′1 , . . . , x′′n , y1 , . . . , yn ), (6)
... fn (x′1 , . . . , x′n , y1 , . . . , yn ) = fn (x′′1 , . . . , x′′n , y1 , . . . , yn )
for certain x′1 , . . . , x′n , x′′1 , . . . , x′′n , y1 , . . . , yn , where (x′1 , . . . , x′n ) = (x′′1 , . . . , x′′n ), or f1 (x1 , . . . , xn , y1′ , . . . , yn′ ) = f1 (x1 , . . . , xn , y1′′ , . . . , yn′′ ), (7)
... fn (x1 , . . . , xn , y1′ , . . . , yn′ ) = fn (x1 , . . . , xn , y1′′ , . . . , yn′′ )
for certain x1 , . . . , xn , y1′ , . . . , yn′ , y1′′ , . . . , yn′′ , where (y1′ , . . . , yn′ ) = (y1′′ , . . . , yn′′ ). Let (6) hold. Then, using (4), we get x′1 + g1 (π1 (x′1 , y1 ), . . . , πn (x′n , yn )) = x′′1 + g1 (π1 (x′′1 , y1 ), . . . , πn (x′′n , yn ), (8)
... x′n + gn (π1 (x′1 , y1 ), . . . , πn (x′n , yn )) = x′′n + gn (π1 (x′′1 , y1 ), . . . , πn (x′′n , yn )).
Let z ′ = (z1′ , . . . , zn′ ), where zi′ = πi (x′i , yi ), i = 1, n and z ′′ = (z1′′ , . . . , zn′′ ), where zi′′ = πi (x′′i , yi ), i = 1, n. Consider the pair g(z ′ ) = (g1 (z ′ ), . . . , gn (z ′ )), g(z ′′ ) = (g1 (z ′′ ), . . . , gn (z ′′ )). If for any α ∈ 1, n gα (z ′ ) = gα (z ′′ ), then the definition of properness for the family g = (g1 , . . . , gn ) is violated on the pair (z ′ , z ′′ ). If there exists α ∈ 1, n such that gα (z ′ ) = gα (z ′′ ), then from (8) we get x′α = x′′α . Then πα (x′α , yα ) = πα (x′α , yα ), so we have zα′ = zα′′ . Consequently, in this case the definition of properness violates for the family g1 , . . . , gn on the pair (z ′ , z”). The case (7) is treated along the same lines. So we have proved that if for any functions π1 , . . . , πn the system of functions (4) does not determine a Latin square, then the family g1 , . . . , gn is not proper. Now suppose that the family g1 , . . . , gn is not proper. This means that there exists a pair of variables z ′ = (z1′ , . . . , zn′ ) and z ′′ = (z1′′ , . . . , zn′′ ) such that for all α ∈ 1, n satisfying zα′ = zα′′ we have gα (z ′ ) = gα (z ′′ ). Consider arbitrary x1 , . . . , xn and y1 , . . . , yn and a pair ((x′1 , . . . , x′n ), (x′′1 , . . . , x′′n )), where x′i = xi + gi (z ′ ),
i ∈ 1, n; (9)
... x′′i = xi + gi (z ′′ ), Now take the functions π1 , . . . , πn such that
i ∈ 1, n.
V.A. Nosov / Constructing Families of Latin Squares over Boolean Domains
πi (x′i , yi ) = zi′ ,
i ∈ 1, n; (10)
... πi (x′′i , yi ) = zi′′ ,
203
i ∈ 1, n.
This is impossible only when x′i = x′′i but zi′ = z”i for some i ∈ 1, n. But if x′i = x′′i , then from (9) we have gi (z ′ ) = gi (z ′′ ) and by condition on z ′ and z ′′ we have zi′ = zi′′ . Now it is easy to see, using (4), that elements of the square corresponding to (x′1 , . . . , x′n , y1 , . . . , yn ) and (x′′1 , . . . , x′′n , y1 , . . . , yn ) are equal to (x1 , . . . , xn ) and the square (4) is not Latin for the given functions π1 , . . . , πn . Remark 1. The notion of properness for a family of Boolean functions was introduced in [4] in connection with regularity (substitution property) of Boolean automata. In this paper the next theorem is proved. Theorem 3. A family of Boolean functions f1 , . . . , fn in variables x1 , . . . , xn is proper if and only if for any product fi1 . . . fik the corresponding algebraic normal form does not contain terms including the product xi1 . . . xik . Now consider the relations between properness and regularity of families of Boolean functions. It is easy to prove the next theorem. Theorem 4. A family of Boolean functions f = (f1 , . . . , fn ) is proper if and only if the family g1 , . . . , gn is regular, where gi = ai fi + xi , for all constants ai , i = 1, n. Now we turn to classifying results on properness of families of functions. In order to use the above construction of Latin squares, one needs to describe some classes of proper families of Boolean functions. For any family of functions f = (f1 , . . . , fn ) in variables x1 , . . . , xn , define a digraph Gf = (V, E), where V = {1, . . . , n} and (i, j) ∈ E iff the variable xi is essential for fj . It is easy to see that if Gf = (V, E) is acyclic, then the family f = (f1 , . . . , fn ) is proper. The opposed does not hold. Now consider the family f = (f1 , . . . , fn ), where f1 = x2 x3 . . . xn , ...
(11)
fn = x1 x2 . . . xn−1 . It is easy to see that digraph Gf is complete, but the family f = (f1 , . . . , fn ) is proper. Let M be the class of all multi-affine functions. That is, every function f ∈ M is a conjunction of linear functions. Let f be a family of multi-affine functions. This means that f = fi , i ∈ 1, n can be represented as
204
V.A. Nosov / Constructing Families of Latin Squares over Boolean Domains
f1 =
k1 0
li1 (x1 . . . xn ),
i=1
f2 =
k2 0
li2 (x1 . . . xn ),
i=1
(12)
... fn =
kn 0
lin (x1 . . . xn ),
i=1
where ki , i ∈ 1, n, is the number of linear functions in fi , and lit = at1 x1 +· · ·+atn xn +bt is a linear function over the field F2 , 1 ≤ t ≤ n. Define a digraph G0f = (V, E), where V = {1, 2, . . . , n} and (i, j) ∈ E ⇐⇒ ∃ s such that the function lsj contains xi (that is, ajs = 1). Remark 2. The digraph G0f subsumes the digraph Gf as a subgraph. Generating graphs G0f is easy, while generating graphs Gf is NP-hard problem for many classes of functions [5]. A cycle is called simple if there is no proper subset of its vertices that also has a cycle. Theorem 5. A family of multi-affine functions f = fi , i ∈ 1, n is proper if and only if for every simple cycle C of the digraph G0f 0
i∈C
fi (x1 , . . . , xn ) ≡ 0.
(13)
Proof. Let there exists a simple cycle C in the digraph Gf , while condition (13) does, i.e., 0 fi (x1 , . . . , xn ) = 0 (14) i∈C
Let C = i1 , . . . , is , ik ∈ 1, n. This means that the formula for the function fi1 contains variable symbol xi2 and does not contain variable symbols xi1 , xi3 , . . . , xis . The same is true for functions fi2 , . . . , fis . The functions fi1 , . . . , fis can be written as fi1 = (· · · + xi2 + . . . ) . . . (· · · + xi2 + . . . )φi1 (x1 , . . . , xn ), ...
(15)
fis = (· · · + xi1 + . . . ) . . . (· · · + xi1 + . . . )φis (x1 , . . . , xn ), where φi1 is a multi-affine function not containing xi2 . Similarly, φis is a multi-affine 0 0 function / not containing the entering xi1 . By (14) there is n-tuple x = (x1 , . . . , xn ) such that i∈C fi (x01 , . . . , x0n ) = 1. Consequently, we have fi1 (x01 , . . . , x0n ) = · · · = fis (x01 , . . . , x0n ) = 1.
(16)
V.A. Nosov / Constructing Families of Latin Squares over Boolean Domains
205
Consider the n-tuple x = (x01 , . . . , x0i1 , . . . , x0is , . . . , x0n ) obtained from x = by negating of variables with indices in C. Then from (15) we conclude
(x01 , . . . , x0n )
x) = 0. x) = · · · = fis ( x) = fi2 ( fi1 (
(17)
From (16) and (17) we see that the family f is not proper if we take the pair (x, x ), where = (x01 , . . . , x0i1 , . . . , x0is , . . . , x0n ). x = (x01 , . . . , x0n ) and x Conversely, suppose that for any simple cycle C of the digraph G0f relation (13) holds. For the family f = fi , i ∈ 1, n consider the family f = fi , i ∈ 1, n , where f(x1 , . . . , xn ) = xi + fi (x1 , . . . , xn )
∀ i ∈ 1, n.
(18)
Let I ⊆ 1, n be a set of indices, ǫI = (ǫα ), α ∈ I, ǫ ∈ {0, 1} be a set of constants. For any function g = (g1 , . . . , gn ) we put g ǫI (xi , i ∈ CI) = g(x1 , . . . , xn )|xα =ǫα ,α∈I . That is, the variables with indices I are substituted by constants ǫI , CI denotes the complement of I in 1, n. Lemma 2 in [4] proves that f is a proper family if and only if the family fǫI = fiǫI , i ∈ CI
is regular for all I = 1, n and all ǫI . To prove regularity of families of Boolean functions g = (g1 , g2 , . . . , gn ) in variables x1 , x2 , . . . , xn we use criteria of Huffman (see [3]), according to which the family g = (g1 , g2 , . . . , gn ) is regular if and only if for any indices i1 , i2 , . . . , ik , k ≤ n − 1, the product gi1 gi2 . . . gik does not contain the term x1 x2 . . . xn in its ANF, but the product g1 g2 . . . gn does contain this term. Suppose the set I is empty. Prove the regularity of the family f = fi ), i ∈ 1, n . We have 0 0 fj . (19) xi f1 . . . fn = x1 . . . xk + i∈p1
j∈p2
The/sum is over / all partitions (p1 , p2 ) of the set i ∈ 1, n, where p2 = ∅. Prove that x i∈p1 i j∈p2 fj for any (p1 , p2 ), p2 = ∅, does not contain the term x1 x2 . . . xn . Suppose, on the contrary, that for/any (p1 , p2 ), p2 = ∅, there is the term/x1 x2 . . . xn in ANF. Then fj = 0 if j ∈ p2 and j∈p2 fj (x1 . . . xn ) contains the term j∈p2 xj . Consider the subgraph Hf (p2 ) of the digraph Gf containing the vertices of the set p2 . By the definition we have that each vertex has at least one outgoing arc. It is easy to see that in this case Hf (p2 ) contains a simple cycle C and by the theorem hypothesis we have 0 fj (x1 . . . xn ) = 0. j∈C
206
V.A. Nosov / Constructing Families of Latin Squares over Boolean Domains
But the set p2 contains the vertices of C as a subset. Consequently, we have 0
j∈p2
/
/
fj (x1 . . . xn ) ≡ 0.
fj if p2 = 0 does not subsume the term x1 x2 . . . xn . Therefore, by (19) the product f1 . . . fn contains this term. Let now k be such that k < n and there exist indices 1 ≤ i1 < · · · < ik ≤ n such that the product fi1 . . . fik contains the term x1 x2 . . . xn . We have Then the term
i∈p1
xi
j∈p2
fi1 . . . fik = xi1 xi2 . . . xin +
0
xi
i∈p1
0
fj .
(20)
j∈p2
The sum is over all partitions (p1 , p2 ) of the set i ∈ 1, n, where / p2 =/∅. This means that the term there exists a partition (p1 , p2 ), p2 = ∅, such that j∈p2 fj/subsumes i∈p1 xi / the term x1 x2 . . . xn . Consequently, the term j∈p2 fj subsumes the term i∈Cp1 xi , where Cp1 is the complement / of the set p1 in 1, n. Since the functions with indices in the set p2 produce the term i∈Cp1 xi , by the definition of the digraph Gf each vertex of Cp1 has at least one outgoing arc with end vertex in p2 . By the/definition, we have p2 ⊂ Cp1 and therefore the graph Hf (p2 ) contains a cycle. Then j∈p2 fj (x1 . . . xn ) ≡ 0 and the term x1 x2 . . . xn does not appear in (20). Thus, we have proved that the family f1 . . . fn is regular according to Huffman’s criteria. Let I be a proper subset of 1, n, ǫI be an arbitrary set of constants. Regularity of the family f ǫI = (f ǫI , i ∈ CI) (in variables xi , i ∈ CI) may be proved along the same lines. This is possible because substitution of variables by constants preserves multiaffinity. Now we give a recursive construction of proper families of functions. Let f ′ be a family of functions in variables zi0 , . . . , zin . Define a family of n + s1 + · · · + sn functions f = (fij ) in variables zij , i = 1, . . . , n, j = 1, . . . , si (s1 , . . . , sn are arbitrary nonnegative integers) by relations ′ fi1 = Φi1 (fi0 , zi0 ), ′ fi2 = Φi2 (fi0 , zi0 , zi1 ),
...
(21)
′ fist = Φist (fi0 , zi0 , zi1 , . . . , zist−1 ), ′ fi0 = Φi0 (fi0 , zi0 , zi1 , . . . , zist ),
where Φi0 , Φi1 , . . . , Φist are arbitrary functions with appropriate arities. Theorem 6. If the family f ′ is proper, then for any functions Φij , i ∈ 1, n, j ∈ 0, st the family f is proper as well. ′ ′′ Proof. Suppose the family f is not proper. Then there is a pair of distinct tuples (z , z ), ′ ′ ′′ ′′ where z = zij , i ∈ 1, n, j ∈ 0, st and z = zij , i ∈ 1, n, j ∈ 0, st , such that ′ ′′ fαβ (z ′ ) = fαβ (z ′′ ) for all α, β satisfying zαβ
= zαβ . There are two possibilities:
V.A. Nosov / Constructing Families of Latin Squares over Boolean Domains
207
′ ′ ′′ ′′ 1. z0′ = z0′′ , where z0′ = (z10 , . . . , zn0 ), z0′′ = (z10 , . . . , zn0 ). By the definition, ′ ′′ ′ ′ ′
= zα0 for the family f0 = (f10 , . . . , fn0 ) there is α ∈ 1, n such that zα0 ′ ′′ ′ and fα0 (z ) = fα0 (z ). From relations (21) we get that fα1 (z ) = fα1 (z ′′ ) ′ ′′ = zα1 . Once again from relations (21), we and by assumption we have zα1 ′ ′′ ′ ′′
= zα2 . Proceeding in the get fα2 (z ) = fα2 (z ) and therefore we have zα2 ′′ ′ same way, we get the relation zαst = zαst , and from (21) we get the relation ′ ′′
= zα0 , a contradiction. fα0 (z ′ ) = fα0 (z ′′ ) and hence zα0 ′ ′′ 2. z0 = z0 . In this case from relations (21) we have fi1 (z ′ ) = fi1 (z ′′ ) for all ′ ′′ = zi1 for all i ∈ 1, n. Now from (21) we i ∈ 1, n. By assumption we have zi1 ′ ′′ ′ ′′ = zi2 for all i ∈ 1, n. have fi2 (z ) = fi2 (z ) for all i ∈ 1, n. This implies zi2 ′′ ′ Proceeding in this way, we obtain that zist = zist for all i ∈ 1, n and, consequently, z ′ = z ′′ . This contradicts the choice of the pair (z ′ , z ′′ ). This proves that the family f is proper.
Remark 3. The paper [6] generalizes some results of the present paper to families of functions over Abelian groups.
References [1] C. Shannon, Communication theory of secrecy system, Bell System Techn. J. 28(4) (1949), 656–715. [2] J. Denes and A.D. Keedwell, Latin squares and their applications, Budapest, 1974. [3] D.A. Huffman, Canonical forms for information lossless finite-state logical machines, IRE Trans. Circ. Theory 6 (1959), 41–59. [4] V.A. Nosov, Criterion of regularity of a nonautonomous Boolean automaton with separated input, Intellectual Systems 3(3–4) (1998), 269–280 (in Russian). [5] V.B. Alekseev and V.A. Nosov, NP-complete problems and their polynomial-time versions. A survey, Review of industrial and applied math. 4(2) (1997), 165–193 (in Russian). [6] V.A. Nosov and A.E. Pankratiev, Latin squares over Abelian groups, Fundamental and applied math. 12(3) (2006), 65–71 (in Russian). English translation: Journal of Mathematical Sciences 149(3) (2008).
208
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-208
On Almost Perfect Nonlinear Boolean Functions François RODIER 1 Institut de Mathématiques de Luminy, Marseille, France Abstract. Nyberg has introduced the notion of almost perfect nonlinearity to study differential attacks on cryptosystems. Here I will give two criterion so that a function is not almost perfectly nonlinear. Keywords. Vectorial Boolean function, almost perfect nonlinearity, nonlinearity, sum-of-square indicator, surface
Introduction Boolean functions are an important tool in computer sciences. Vectorial Boolean functions are especially useful in private key cryptography for designing block ciphers. They bring confusion in the part of the round function called S-box. An important criterion on Boolean functions is a high resistance to differential cryptanalysis. K. Nyberg [1] has introduced the notion of almost perfect nonlinearity (APN) to study resistance to differential attacks. Moreover APN functions arise also in such domains as sequences, error correcting codes. . . The classification of APN functions is far from being completed. Up to now, the study of APN functions was essentially devoted to power functions (see for example [2, 3,4,5]). Recently, A. Pott and his team showed that certain quadratic polynomials in two terms were APN [6] and that they were not equivalent to power functions. I present here a result toward the classification of APN functions given by polynomials. I give two criterion so that a function is not almost perfectly nonlinear. The first is a by-product of the analysis of some Boolean function linked with some supersingular curves on finite fields. With E. Férard, we evaluated the sum-of-squares indicator of these Boolean functions, which is related to the APN property. The second is using a result about surfaces on finite fields. H. Janwa showed, by using A. Weil’s bound, that certain cyclic codes could not correct two errors [7]. A. Canteaut showed by using the same method that the power functions were not APN for a too large value of the exponent [8]. I could generalize this result to polynomials [9] by using a result of P. Deligne (or more exactly an improvement, which is due to S. Ghorpade and G. Lachaud) on Weil’s conjectures. 1 Institut de Mathématiques de Luminy — C.N.R.S., 163 avenue de Luminy, Case 907, Marseille Cedex 9, France.
F. Rodier / On Almost Perfect Nonlinear Boolean Functions
209
1. Preliminaries 1.1. Boolean Functions Let m be a positive integer and q = 2m . Definition 1. A Boolean function with m variables is a map from the space Vm = Fm 2 into F2 . A Boolean function is linear if it is a linear form on the vector space Vm . It is affine if it is equal to a linear function up to addition of a constant. 1.2. Nonlinearity Nonlinearity is an important cryptographic property of Boolean functions. The more they are far from affine function, the more they are resistant to the attacks. So it is essential that cryptographic Boolean functions have a high nonlinearity. Definition 2. We call nonlinearity of a Boolean function f : Vm → F2 the distance from f to the set of affine functions with m variables: nl(f ) = min d(f, h) h affine
where d is the Hamming distance. One can show that the nonlinearity is equal to nl(f ) = 2m−1 − with " " " " "f "
∞
" 1" " " "f " 2 ∞
χ(f (x) + v · x) , = sup v∈Vm x∈Vm
where v · x denote the usual scalar product in Vm and χ(f ) = (−1)f . It is the maximum of the Fourier transform of χ(f ) (the Walsh transform of f ): f(v) =
x∈Vm
χ(f (x) + v · x).
Thus the nonlinearity is linked to the maximum of the absolute value of the Fourier transform of a Boolean function.
210
F. Rodier / On Almost Perfect Nonlinear Boolean Functions
1.3. The Sum-of-Square Indicator Let f be a Boolean function on Vm . X.-M. Zhang and Y. Zheng introduced the sum-ofsquare indicator [10], as a measure of the global avalanche criterion: σf =
" 1 4 " " "4 f (x) = "f" . q 4 x∈Vm
" " " " " " " " " " " " " " " " We remark that "f" ≤ "f" ≤ "f" . The spectral amplitude "f" has to be 2 4" " ∞ ∞ " " √ " " " " low, and as close as possible to "f" which is a fixed number equal to q. As "f" 4 2 " " " " is squeezed between these two values, the values of "f" may be considered as a first 4 " " " " approximation of "f" . In some cases they may be easier to compute. The relationship ∞ of this sum-of-square indicator with nonlinearity was studied by A. Canteaut et al. [11]. 2. APN Functions m Let us consider a function G : Fm 2 → F2 . If we use the function G in a S-box of a cryptosystem, the efficiency of differential cryptanalysis is measured by the maximum of the cardinality of the set of elements x in Fq such that G(x + a) + G(x) = b where a and b are elements in Fm 2 and a = 0. As this cardinality is obviously even, and that this maximum cannot be 0, this maximum can only be at least 2. This explains the definition of almost perfect nonlinear functions.
Definition 3. The function G is said to be APN (almost perfect nonlinear) if for every m m a = 0 in Fm 2 and b ∈ F2 , there exists at most 2 elements of F2 such that G(x + a) + G(x) = b.
3. First Criterion I will give here a criterion for some functions not to be APN. I assimilate the field Fq with the vector space Fm 2 as they have the same vector space structure. Theorem 1. The polynomial mapping G : Fq → Fq x → a7 x7 +
s
bi x2
i
+1
0
is not APN for m ≥ 13 + 2s and m is odd. Before giving the proof of this proposition, let me recall some results. The first one is a result that I obtained with E. Férard (Proposition 4.1 of [12], or [13]) about the sum-of-square indicator of a Boolean function. For γ ∈ Fq , consider
F. Rodier / On Almost Perfect Nonlinear Boolean Functions
211
the function fγ (x) = Tr(G(γx)) where Tr is the trace function of Fq on F2 . We computed an approximation of the value of sum-of-square indicator for the polynomial fγ (x). The method was to investigate carefully the supersingular curve of genus 2 isomorphic to the curve y 2 + y = fγ (x + a) + fγ (x). " "4 " " Proposition 1. The value of "f" on F2m when m is odd and f (x) = Tr(G(x)) is such 4 that " " " "4 "f" − 3q 2 ≤ 185 × 2s−1 q 3/2 . 4
The second result is due to F. Chabaud and S. Vaudenay [14, Lemma 3] (or see [15] where this proposition was rediscovered). Proposition 2. One has γ∈F∗q σ(fγ ) ≥ 2q 2 (q − 1). The function G is APN if and only if the equality is true.
Proof of Theorem 1. The theorem follows from Proposition 1 from which one gets a " "4 " " lower bound for "fγ " = σ(fγ ). One apply then the previous result 2. 4
4. Second Criterion Let G be a polynomial mapping of Fq in itself. We can rephrase the definition of an APN function. Proposition 3. The function G : Fq → Fq is APN if and only if the surface G(x0 ) + G(x1 ) + G(x2 ) + G(x0 + x1 + x2 ) = 0 has all of its rational points contained in the surface (x0 + x1 )(x2 + x1 )(x0 + x2 ) = 0. Then the following corollary is easy by using J-P. Serre’s bound on the number of points of a surface of given degree [16]. Corollary 1. If G is APN and if the affine surface X of equation G(x0 ) + G(x1 ) + G(x2 ) + G(x0 + x1 + x2 ) =0 (x0 + x1 )(x2 + x1 )(x0 + x2 ) is absolutely irreducible, then the corresponding projective surface has at most 3((d − 3)q + 1) rational points, where d is the degree of G and q = 2m . We can now state the second criterion. Theorem 2. Let G be a polynomial from Fq to Fq , d its degree. Let us suppose that the curve X∞ of equation xd0 + xd1 + xd2 + (x0 + x1 + x2 )d =0 (x0 + x1 )(x2 + x1 )(x0 + x2 ) is smooth. Then if m ≥ 6 and d < q 1/6 + 3.9, G is not APN.
212
F. Rodier / On Almost Perfect Nonlinear Boolean Functions
Proof. The curve X∞ is the intersection of the surface X f (x0 ) + f (x1 ) + f (x2 ) + f (x0 + x1 + x2 ) =0 (x0 + x1 )(x2 + x1 )(x0 + x2 ) with the plane at infinity. As X∞ is nonsingular, one can deduce that X is nondegenerate, and is regular in codimension one. From an improvement of a theorem of P. Deligne on Weil’s conjectures by S. Ghorpade and G. Lachaud [17,18], we deduce |X(k) − q 2 − q − 1| ≤ (d − 4)3 q 3/2 . If q > (d − 4)6 + 6d − 20 then X(k) > 3((d − 3)q + 1) and so f is not APN. 4.1. When Is X∞ Nonsingular? H. Janwa and R.M. Wilson [7] studied the curve X∞ and they deduced certain cases where it is nonsingular. Proposition 4. The curve X∞ is nonsingular for the values d = 2l + 1 where • l is an odd integer such that there exists an integer r with 2r ≡ −1 (mod l); • l is a prime number greater than 17 such that the order of 2 modulo l is (l − 1)/2. In particular the first condition is satisfied if l is a prime number congruent to ±3 modulo 8.
5. An Example By the first criterion, the functions x → x7 + b2 x5 + b1 x3 + b0 x2 cannot be APN for m ≥ 17. By the second criterion, the same functions cannot be APN for m ≥ 11. Note that the function x → x7 is APN on F32 as 7 is a Welsh exponent for m = 5 [2]. References [1] K. Nyberg, Differentially uniform mappings for cryptography, Proc. of EUROCRYPT 93 (Lofthus, 1993), Lecture Notes in Comput. Sci. 765 (1994), Springer-Verlag, Berlin, 55–64. [2] A. Canteaut, P. Charpin, and H. Dobbertin, Couples de suites binaires de longueur maximale ayant une corrélation croisée à trois valeurs: conjecture de Welch, C. R. Acad. Sci. Paris Sér. I Math. 328(2) (1999), 173–178. [3] H. Dobbertin, Almost perfect nonlinear power functions over GF(2n ): the Niho case, Inform. and Comput. 151 (1999), 57–72. [4] H. Dobbertin, Almost perfect nonlinear power functions over GF(2n ): the Welch case, IEEE Trans. Inform. Theory 45 (1999), 1271–1275. [5] H. Dobbertin, Almost perfect nonlinear power functions over GF(2n ): a new case for n divisible by 5, Proc. of Finite Fields and Applications FQ5, Augsburg, Germany, D. Jungnickel and H. Niederreiter, eds., Springer-Verlag, 2000, 113–121. [6] L. Budaghyan, C. Carlet, P. Felke, and G. Leander, An infinite class of quadratic APN functions which are not equivalent to power mappings, Cryptology ePrint Archive, Report 2005/359, http://eprint.iacr.org/.
F. Rodier / On Almost Perfect Nonlinear Boolean Functions
213
[7] H. Janwa and R.M. Wilson, Hyperplane sections of Fermat varieties in P 3 in char. 2 and some applications to cyclic codes, Proc. of Applied algebra, algebraic algorithms and error-correcting codes (San Juan, PR, 1993), Lecture Notes in Comput. Sci. 673 (1993), Springer-Verlag, Berlin, 180–194. [8] A. Canteaut, Differential cryptanalysis of Feistel ciphers and differentially δ-uniform mappings, Proc. of Selected Areas on Cryptography (SAC’97), Ottawa, Canada, 1997, 172–184. [9] F. Rodier, Borne sur le degré des polynômes presque parfaitement non-linéaires, arXiv:math.AG/0605232, 2006, http://arxiv.org/. [10] X.-M. Zhang and Y. Zheng, GAC—the Criterion for Global Avalanche Characteristics of Cryptographic Functions, Journal of Universal Computer Science 1(5) (1995), 316–333. [11] A. Canteaut, C. Carlet, P. Charpin, and C. Fontaine, Propagation characteristics and correlationimmunity of highly nonlinear Boolean functions, Proc. of EUROCRYPT 2000 (Bruges), Lecture Notes in Comput. Sci. 1807 (2000), Springer-Verlag, Berlin, 507–522. [12] E. Férard and F. Rodier, Non linéarité des fonctions booléennes données par des traces de polynômes de degré binaire 3, to be published with the conference SAGA 2007, available on arXiv:0706.0447, http://arxiv.org/. [13] E. Férard and F. Rodier, Nonlinarity of Boolean functions and hyperelliptic curves, preprint, arXiv:0705.1751, http://arxiv.org/. [14] F. Chabaud and S. Vaudenay, Links between differential and linear cryptanalysis, Proc. of EUROCRYPT 94, Perugia, Italy, May 9–12, 1994, Lecture Notes in Comput. Sci. 950 (1995), Springer-Verlag, Berlin, 356–365. [15] T. Berger, A. Canteaut, P. Charpin, and Y. Laigle-Chapuy, On almost perfect nonlinear functions over F2n , IEEE Trans. Inform. Theory 52(9) (2006), 4160–4170. [16] J.-P. Serre, Lettre à M. Tsfasman, Astérisque 198-199-200 (1991), 351–353. [17] P. Deligne, La conjecture de Weil: I, Publications Mathématiques de l’IHES 43 (1974), 273–307. [18] S. Ghorpade and G. Lachaud, Étale cohomology, Lefschetz theorems and number of points of singular varieties over finite fields, Mosc. Math. J. 2(3) (2002), 589–631.
214
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-214
On the Nonexistence of Homogeneous Rotation Symmetric Bent Boolean Functions of Degree Greater Than Two ˘ ˘1 Pantelimon STANIC A Naval Postgraduate School, Monterey, CA, USA Abstract. In this paper we present a result towards the conjectured nonexistence of homogeneous rotation symmetric bent functions having degree > 2. Keywords. Boolean function, algebraic normal form, nonlinearity, rotational symmetry
Introduction The class of rotation symmetric Boolean functions (RSBFs) has received a lot of attention from a combinatorial and cryptographic perspective [1,2,3,4,5,6,7,8,9,10]. The initial study on the nonlinearity of these functions was done in [3], where nonlinearity was the main focus. Later on, the nonlinearity and correlation immunity of such functions have been studied in detail in [1,4,5,6,8,9]. Applications of such functions in hashing has also been investigated [7]. The set of RSBFs are interesting to look into as the space n n is much smaller (≈ 22 /n ) than the total space of Boolean functions (22 ) and the set contains functions with very good cryptographic properties. It has been experimentally demonstrated that there are functions in this class which are good in terms of balancedness, nonlinearity, correlation immunity, algebraic degree and algebraic immunity (resistance against algebraic attack) [10] at the same time. It is interesting to note that the famous Patterson–Wiedemann functions [11] that achieve nonlinearity 16276 (strictly greater than nonlinearity 215−1 − 2(15−1)/2 obtained by bent functions concatenation) in 15 variables are in fact rotation symmetric. Moreover, Kavut et al. [12,13,14] proved that there exist rotation symmetric functions in 9 variables having nonlinearity 241 and 242 (which is also strictly greater than the bent concatenation nonlinearity 29−1 − 2(9−1)/2 ), which was rather surprising and gives further motivation for the rotation symmetric Boolean functions investigation. Regarding, the combinatorial structure of these functions, St˘anic˘a et al. [9] showed that the Walsh spectra of RSBFs give rise to a certain matrix with interesting combinatorial properties that helps in fast calculations of different cryptographic properties of these 1 Applied Mathematics Department, Naval Postgraduate School, Monterey, CA 93943, USA; E-mail: [email protected]. The author was partially supported by the Naval Postgraduate School RIP funding.
P. St˘anic˘a / On the Nonexistence of Homogeneous Rotation Symmetric Bent Boolean Functions
215
functions. Later this matrix has been studied in detail in [5,6] for odd number of variables and new structures have been discovered. However, the problem remained open for even variable case. It is well known that bent functions only exist on even number of variables [15]. The rotation symmetric bent functions have been studied in detail in [1,3,9,8]. Here, we present a large class of homogeneous RSBFs which are not bent. This partially answers the conjecture presented in [8]. Preliminaries A Boolean function f on n variables may be viewed as a mapping from Fn2 = {0, 1}n into the two-element field F2 ; it can also be interpreted as the output column of its truth table f , that is, a binary string of length 2n : f = [f (0, 0, . . . , 0), f (1, 0, . . . , 0), . . . , f (1, 1, . . . , 1)]. The Hamming distance between S1 , S2 is denoted by d(S1 , S2 ) = #(S1 = S2 ). Also the Hamming weight or simply the weight of a binary string S is the number of ones in S. This is denoted by wt(S). An n-variable function f is said to be balanced if its output column in the truth table contains equal number of 0’s and 1’s (i.e., wt(f ) = 2n−1 ). The addition operator over F2 is denoted by ⊕. An n-variable Boolean function f can be considered to be a multivariate polynomial over F2 . This polynomial can be expressed as a sum of products representation of all distinct k-th order products (0 ≤ k ≤ n) of the variables. More precisely, f (x1 , . . . , xn ) can be written as a0 ⊕
%
1≤i≤n
ai x i ⊕
%
1≤i n. For (x1 , x2 , . . . , xn ) ∈ Fn2 , we extend the definition by ρkn (x1 , x2 , . . . , xn−1 , xn ) = (ρkn (x1 ), ρkn (x2 ), . . . , ρkn (xn−1 ), ρkn (xn )). Hence, ρkn acts as k-cyclic rotation on an n-bit vector. Definition 1. A Boolean function f is called rotation symmetric if for each input (x1 , . . . , xn ) ∈ Fn2 , f (ρkn (x1 , . . . , xn )) = f (x1 , . . . , xn ) for 1 ≤ k ≤ n. That is, the rotation symmetric Boolean functions are invariant under cyclic rotation of inputs. The inputs of a rotation symmetric Boolean function can be divided into partitions so that each partition consists of all cyclic shifts of one input. A partition is generated by Gn (x1 , x2 , . . . , xn ) = {ρkn (x1 , x2 , . . . , xn ) | 1 ≤ k ≤ n} and the number of such partitions is denoted by gn . Thus the number of n-variable RSBFs is 2gn . Let φ(k) be Euler’s phi-function, then it can be shown by Burnside’s lemma that (see [8]) gn = (1/n) k|n φ(k)2n/k . By gn,w we denote the number of partitions with weight w. For the formula of how to calculate gn,w for arbitrary n and w, we refer to [8,5,6]. A partition, or group, is completely determined by its representative element Λn,i , which is the lexicographically first element belonging to the group [9]. These representative elements are again arranged lexicographically. The rotation symmetric truth table (RSTT) is defined as the gn -bit string [f (Λn,0 ), f (Λn,1 ), . . . , f (Λn,gn−1 )]. 1. The Result Construction and enumeration of bent RSBFs have been studied in [3,8,9,1]. In [8], it has conjectured that there are no homogeneous bent RSBFs of degree greater than two. Some partial result in this direction has been presented in [9, Theorem 5]. Here we will present another approach which provides a different insight into this problem. Let us now recall [16, Theorem 30]. Theorem 1 (Zheng–Zhang–Imai [16]). Let f be a function on Fn2 and J be a subset of {1, 2, . . . , n} such that f does not contain any term xj1 · · · xjt where t > 1 and j1 , . . . , jt ∈ J. Then the nonlinearity of f , Nf ≤ 2n−1 − 2s−1 , where s = |J|. As an example, take an 8-variable RSBF f having SANF x1 x2 x3 , i.e., the algebraic normal form x1 x2 x3 ⊕ x2 x3 x4 ⊕ x3 x4 x5 ⊕ x4 x5 x6 ⊕ x5 x6 x7 ⊕ x6 x7 x8 ⊕ x7 x8 x1 ⊕ x8 x1 x2 . Refer to [9, Section 3] for the definition of Short Algebraic Normal Form (SANF). Let J = {1, 2, 4, 5, 7} as in the previous theorem. It is easy to see that there is no term in f with all indices from J. Since |J| = 5, it follows that the nonlinearity ≤ 27 − 24 = 128 − 16 = 112; in reality, the nonlinearity is 80.
P. St˘anic˘a / On the Nonexistence of Homogeneous Rotation Symmetric Bent Boolean Functions
217
Next, we present our main result which gives more insight to the mentioned conjecture than [9, Theorem 5]. Theorem 2(iii) supports the conjecture presented in [8] for a large class of homogeneous RSBFs. For a homogeneous degree d RSBF f with its SANF s (i) given by i=1 βi , where βi = xk(i) xk(i) · · · xk(i) (note that k1 is 1 for all i), we define 1
(i)
(i)
2
(i)
d
(i)
(i)
(i)
a sequence dj , j = 1, 2, . . . , ki−1 , by dj = kj+1 − kj . Let df = maxi,j dj , that is, the largest distance between two consecutive indices in all monomials of f .
Theorem 2. The following hold for a homogeneous RSBF f of degree d ≥ 3 in n variables: (i) If the SANF of f is x1 . . . xd , then f is not bent. (ii) If the SANF of f is x1 x2 . . . xd−1 xd ⊕ x1 x2 . . . xd−1 xd+1 , then f is not bent, assuming: (n − 2)/4 > ⌊n/d⌋, if n ≡ 1 (mod d); n/4 > ⌊n/d⌋, if n ≡ 1 (mod d). (iii) In general, if df < (n/2 − 1)/⌊n/d⌋, then f is not bent. Proof. It is easy to check the claim for n = 6. Now we consider d ≥ 3 and n ≥ 8. Take the rotation symmetric Boolean function f with SANF x1 x2 . . . xd . Assume first that n ≡ 0 (mod d). Let J = {1, 2, . . . , d − 1, d + 1, d + 2, . . . , 2d − 1, 2d + 1, . . . , ⌊n/d⌋d − 1, ⌊n/d⌋d + 1, . . . , n − 1}. Since f is homogeneous and there are no d consecutive indices (assume xn+1 := x1 , etc.), as required by the terms of f , it follows that the set J satisfies the conditions of Theorem 1. To find the number of elements of J, we count the missing indices, obtaining |J| = n − ⌊n/d⌋ − 1. Thus, Nf ≤ 2n−1 − 2n−⌊n/d⌋−2 . Since d ≥ 3 and n ≥ 8, then ⌊n/d⌋ + 1 ≤ ⌊n/3⌋ + 1 ≤ n/3 + 1 < n/2. Therefore, n − ⌊n/d⌋ − 2 > n/2 − 1, which implies Nf < 2n−1 − 2n/2−1 , so f is not bent. If n ≡ 0 (mod d), take J = {1, 2, . . . , d − 1, d + 1, d + 2, . . . , 2d − 1, 2d + 1, . . . , ⌊n/d⌋d − 1 = n − 1}, with |J| = n − n/d. Thus, Nf ≤ 2n−1 − 2n−⌊n/d⌋−1 < 2n−1 − 2n/2−1 , so f is not bent, in this case, as well. We prove next claim (ii) for the homogeneous rotation symmetric Boolean function f with SANF x1 x2 . . . xd ⊕ x1 x2 . . . xd−1 . Assume that n ≡ 0, 1 (mod d). Take J = {1, 2, . . . , d−1, d+2, . . . , ⌊n/d⌋d−1, ⌊n/d⌋d+2, . . . , n−2}, which satisfies Theorem 1, since there are no d consecutive indices with a gap of length 2. By counting missing indices, we obtain |J| = n − 2⌊n/d⌋ − 1, therefore Nf ≤ 2n−1 − 2n−2⌊n/d⌋−2 < 2n−1 − 2n/2−1 , if n/2 − 1 < n − 2⌊n/d⌋ − 2, which is equivalent to n > 4⌊n/d⌋ + 2. Next, assume that n ≡ 0 (mod d), respectively, n ≡ 1 (mod d). In these cases, take J0 = {2, . . . , d−1, d+2, . . . , ⌊n/d⌋d−1 = n−1}, respectively, J1 = {1, 2, . . . , d− 1, d+2, . . . , ⌊n/d⌋d−1 = n−2}. Both J0 , J1 satisfy Theorem 1 and as before, counting missing indices, we obtain |J0 | = n − 2⌊n/d⌋ − 1 and J1 = n − 2⌊n/d⌋. It follows that, under n ≡ 0 (mod d), Nf ≤ 2n−1 − 2n−2⌊n/d⌋−2 < 2n−1 − 2n/2−1 , if n/2 − 1 < n − 2⌊n/d⌋ − 2, which is equivalent to n > 4⌊n/d⌋ + 2. Also, under n ≡ 1 (mod d), Nf ≤ 2n−1 − 2n−2⌊n/d⌋−1 < 2n−1 − 2n/2−1 , if n/2 − 1 < n − 2⌊n/d⌋ − 1, which is equivalent to n > 4⌊n/d⌋. We prove now claim (iii). If df = 1, it follows that f is generated by x1 x2 · · · xd , and the result follows from part (i). Assume that df ≥ 2. Case 1. n ≡ k0 (mod d), k0 ≥ df . We use once again Theorem 1. Take J1 = {df , df + 1, . . . , d−1, d+df , d+df +1, . . . , d⌊n/d⌋−1 = n−k0 −1, d⌊n/d⌋+df , . . . , n− 1}.
218
P. St˘anic˘a / On the Nonexistence of Homogeneous Rotation Symmetric Bent Boolean Functions
Case 2. n ≡ k0 (mod d), 0 ≤ k0 < df . Take J2 = {df − k0 , df − k0 + 1, . . . , d − 1, d + df , d + df + 1, . . . , d⌊n/d⌋ − 1 = n − k0 − 1}. Both J1 , J2 satisfy the conditions of Theorem 1 and |J1 | = n − df ⌊n/d⌋ − 1, |J2 | = n−df ⌊n/d⌋. Therefore, in Case 1, Nf ≤ 2n−1 −2n−df ⌊n/d⌋−2 < 2n−1 −2n/2−1 , with the last inequality holding if and only if n/2 − 1 < n − df ⌊n/d⌋ − 2. The last inequality follows from our imposed condition df < (n/2 − 1)/⌊n/d⌋. In Case 2, Nf ≤ 2n−1 − 2n−df ⌊n/d⌋−1 < 2n−1 − 2n/2−1 , with the last inequality holding if and only if n/2 − 1 < n − df ⌊n/d⌋ − 1. The last inequality follows from df < (n/2 − 1)/⌊n/d⌋ < (n/2)/⌊n/d⌋. References [1] J. Clark, J. Jacob, S. Maitra, and P. St˘anic˘a, Almost Boolean Functions: The Design of Boolean Functions by Spectral Inversion, Computational Intelligence 20(3) (2004), 450–462. [2] T. W. Cusick and P. St˘anic˘a, Fast Evaluation, Weights and Nonlinearity of Rotation-Symmetric Functions, Discrete Mathematics 258 (2002), 289–301. [3] E. Filiol and C. Fontaine, Highly nonlinear balanced Boolean functions with a good correlationimmunity, Proc. of EUROCRYPT 98, Springer-Verlag, 1998. [4] M. Hell, A. Maximov, and S. Maitra, On efficient implementation of search strategy for rotation symmetric Boolean functions, Proc. of Ninth International Workshop on Algebraic and Combinatoral Coding Theory, ACCT 2004, June 19–25, 2004, Black Sea Coast, Bulgaria. [5] A. Maximov, M. Hell, and S. Maitra, Plateaued Rotation Symmetric Boolean Functions on Odd Number of Variables, Cryptology ePrint Archive, Report 2004/144, http://eprint.iacr.org/. [6] A. Maximov, Classes of Plateaued Rotation Symmetric Boolean functions under Transformation of Walsh Spectra, Cryptology ePrint Archive, Report 2004/354, http://eprint.iacr.org/. [7] J. Pieprzyk and C. X. Qu, Fast Hashing and Rotation-Symmetric Functions, Journal of Universal Computer Science 5 (1999), 20–31. [8] P. St˘anic˘a and S. Maitra, Rotation Symmetric Boolean Functions—Count and Cryptographic Properties, Proc. of R.C. Bose Centenary Symposium on Discrete Mathematics and Applications, December 2002, Electronic Notes in Discrete Mathematics 15, Elsevier. The extended version will appear in Discrete Applied Mathematics, 2008. [9] P. St˘anic˘a, S. Maitra, and J. Clark, Results on Rotation Symmetric Bent and Correlation Immune Boolean Functions, Proc. of Fast Software Encryption Workshop (FSE 2004), New Delhi, India, Lecture Notes in Computer Science 3017 (2004), Springer-Verlag, 161–177. [10] D.K. Dalai, K.C. Gupta, and S. Maitra, Results on Algebraic Immunity for Cryptographically Significant Boolean Functions, Proc. of INDOCRYPT 2004, to be published in Lecture Notes in Computer Science, Springer-Verlag. [11] N.J. Patterson and D.H. Wiedemann, The covering radius of the (215 , 16) Reed–Muller code is at least 16276, IEEE Trans. Inform. Theory 29 (1983), 354–356; see also the correction in IEEE Trans. Inform. Theory 36 (1990), 443. [12] S. Kavut, S. Maitra, and M.D. Yücel, Enumeration of 9-variable Rotation Symmetric Boolean Functions having Nonlinearity > 240, Proc. of Indocrypt 2006, Lecture Notes in Computer Science 4329 (2006), Springer, 266–279. [13] S. Kavut, S. Maitra, and M.D. Yücel, Search for Boolean Functions With Excellent Profiles in the Rotation Symmetric Class, IEEE Trans. Inform. Theory 53 (2007), 1743–1751. [14] S. Kavut and M.D. Yücel, Generalized Rotation Symmetric and Dihedral Symmetric Boolean Functions—9 variable Boolean Functions with Nonlinearity 242, Proc. of AAECC 2007, to appear. [15] O.S. Rothaus, On bent functions, Journal of Combinatorial Theory, Series A 20 (1976), 300–305. [16] Y. Zheng, X.-M. Zhang, and H. Imai, Restriction, terms and nonlinearity of Boolean functions, Theoretical Computer Science 226 (1999), 207–223. [17] P. Savicky, On the bent Boolean functions that are symmetric, European Journal of Combinatorics 15 (1994), 407–410.
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-219
219
On Correlation Immune Boolean Functions1 Yuriy TARANNIKOV 2 Lomonosov University, Moscow, Russia Abstract. In the present paper we consider correlation immune Boolean functions and related problems. We give some interesting and important results as well as open problems. Of course, we could not give in a short paper all known results. Therefore, the facts most interesting for the author were selected.
1. Boolean Functions A Boolean function of n arguments is a map f : Fn2 → F2 , Fn is the set of all Boolean functions f : Fn2 → F2 for a given n. The concept of Boolean function is central to • • • •
mathematical logic; discrete mathematics; computer science; mathematical cryptography.
One of most important application of Boolean functions in cryptography is the using of a Boolean function in symmetric cryptography as a nonlinear combiner or a nonlinear filter in stream ciphers or in S-boxes in block ciphers. The main cryptographic properties of Boolean functions are nonlinearity, correlation immunity and resiliency, algebraic immunity, perfect balancedness etc. The concept of a correlation immune function was introduced by T. Siegenthaler [1] in 1984 when he considered the correlation attack on stream cipher with a nonlinear combiner: Definition 1. A Boolean function f defined on Fn2 is said to be correlation immune of order m, with 1 ≤ m ≤ n, if the output of f and any m input variables are statistically independent. 1 This
work was supported by the Russian Foundation for Basic Research (grant no. 07-01-00154). & Math. Department, Lomonosov University, 119899 Moscow, Russia; E-mail: [email protected]. 2 Mech.
220
Y. Tarannikov / On Correlation Immune Boolean Functions
This definition has an equivalent non-probabilistic (combinatorial) formulation: Definition 2. A Boolean function f is called correlation immune of order m if wt(f ′ ) = wt(f )/2m for any its subfunction f ′ of n − m variables. A balanced mth order correlation immune function is called m-resilient. In other words a Boolean function f is m-resilient if wt(f ′ ) = 2n−m−1 for any its subfunction f ′ of n − m variables. The definition of a resilient function was introduced independently of [1] in the wellknown paper of six authors [2]. Note that this paper deals with general cryptographic problems and does not deal with symmetric ciphers.
2. Correlation Immune Functions and Related Objects There exist also another mathematical objects similar or in some cases even identical to correlation immune functions. These objects are • simple binary orthogonal arrays; • codes considered in respect of their dual distances. A (binary) orthogonal array (OA) OA(h, n, q(= 2), m) is an h × n matrix with entries from {0, 1} such that within any m columns every ordered tuple of binary symbols occurs in exactly λ = h/2m rows. ⎛ ∗ ∗ ... ⎜∗ ∗ . . . ⎜ ⎜∗ ∗ . . . ⎜ ⎜∗ ∗ . . . ⎜ ⎜ .. .. . . ⎝. . .
⎞ ∗ ∗⎟ ⎟ ∗⎟ ⎟ , ∗⎟ ⎟ .. ⎟ .⎠ ∗ ∗ ... ∗
h rows, n columns.
OA is called simple if all rows in this array are different. The value m is called a strength of OA. Any binary matrix can be considered as an orthogonal array (maybe of strength 0). If a binary matrix is a (h, n, 2, m)-OA but it is not a (h, n, 2, m + 1)-OA then we say that the maximal strength of this OA is m. Orthogonal arrays appeared in Statistics in the theory of designs of experiments. OA were introduced in the paper of Rao [3]. In this interpretation columns of an array correspond to parameters of experiments, and its rows correspond to experiments. It is necessary to organize the list of experiments such that any combination of m parameters will appear in the same number of experiments. Of course, it is possible to produce all possible q n experiments but it can be too big number, so it will be very noneffective process. Therefore, it is desired to minimize the number of rows in OA. It demonstrates the difference in approaches: in the theory of OA the main problem is to minimize the number of rows in OA or to give lower bounds on the number of rows in OA. At the same time in the theory of symmetric ciphers the main interest is in the studying of balanced functions (i.e., simple OA’s with 2n−1 rows but also many additional cryptographically important properties are required).
Y. Tarannikov / On Correlation Immune Boolean Functions
221
The first lower bound on the number of rows in OA was the Rao Bound obtained in the mentioned work [3] of Rao: h≥
⌊m/2⌋
i=0
n . i
Since then many other bounds were obtained. Most of them were obtained using the well developed technique of orthogonal polynomials. We mention Bierbrauer–Friedman Bound [4,5]:
n n . h≥2 1− 2(m + 1) This bound was obtained by Friedman [4] for the binary case and by Bierbrauer [5] for the case of an arbitrary q (we don’t give here the exact formula for an arbitrary q). Bierbrauer–Friedman Bound is good for high values of m whereas Rao Bound is good for small values of m. Proofs of these bounds are based usually on the constructing of some vector spaces and the systems of orthogonal vectors in these spaces. The monograph [6] is devoted to orthogonal arrays. A simple (h, n, 2, m)-OA can be associated with the code C in F2 where C is the set of vectors in F2 defined by the rows of OA. It is well-known that if a code C is linear then the maximal strength of associated OA is d′ − 1 where d′ (C) = d C ⊥
is the dual distance of C (i.e., code distance of the code C ⊥ dual to C). The weight distribution A(C ⊥ ) = (B0 , B1 , . . . , Bn ) of a code C ⊥ dual to linear code C can be found using the weight distribution A(C) = (A0 , . . . , An ) of a code C by means of MacWilliams equations [7], and the minimal positive integer i such that Bi = 0 is equal to the dual distance d′ . If C is not linear then its dual code C ⊥ is not defined. Nevertheless, Delsarte showed [8] that if one calculates formally the weight distribution A C ⊥ = (B0 , B1 , . . . , Bn ) using MacWilliams equations and takes d′ to be the minimal positive integer i such that Bi = 0 then the maximal strength of OA associated with C will be d′ − 1 as well as for a linear code. The minimal positive integer index i such that Bi = 0 is called the dual distance d′ of the code C. A correlation immune function is a particular case of an orthogonal array (OA), namely, mth order correlation immune function of n inputs with weight Wf corresponds to the simple (Wf , n, 2, m)-OA (all vectors σ such that f (σ) = 1 are written in rows of OA). This fact was pointed out by Camion, Carlet, Charpin and Sendrier in [9]. Thus, the maximal order of correlation immunity of a Boolean function is equal to the maximal strength of associated OA, and equal to the value of the dual distance of its characteristic code minus one.
3. Correlation Immunity and Further Cryptographical Criteria There exist many other cryptographically important parameters.
222
Y. Tarannikov / On Correlation Immune Boolean Functions
The algebraic degree of f , denoted by deg(f ), is defined as the number of variables in the longest term in the polynomial (ANF) of f . There exists a trade-off between correlation immunity and algebraic degree given by Siegenthaler Bound [1]: Let f be mth order correlation immune function. Then deg(f ) ≤ n − m. Moreover, if f is m-resilient, m ≤ n − 2, then deg(f ) ≤ n − m − 1. Important tools for the investigating of correlation immune functions are Walsh Transform and Walsh coefficients. The Walsh Transform of a Boolean function f is an integer-valued function over Fn2 that can be defined as Wf (u) =
(−1)f (x)+u,x .
x∈Fn 2
The values Wf (u), u ∈ Fn2 , are called Walsh coefficients. Walsh coefficients satisfy Parseval’s equation
Wf2 (u) = 22n
u∈Fn 2
and Inversion formula (−1)f (x) = 2−n
Wf (u)(−1)u,x .
u∈Fn 2
The minimum distance between f and the set of all affine functions is called the nonlinearity of f and is denoted by nl(f ). Nonlinearity is expressed in terms of Walsh coefficients as follows: nl(f ) = 2n−1 −
1 max |Wf (u)|. 2 u∈Fn2
High nonlinearity of a Boolean function is important to avoid a possibility of good affine approximations of a Boolean function in ciphers for correlation, linear and other attacks. So, Walsh coefficients determine one of most cryptographically important properties of Boolean functions—namely, nonlinearity. At the same time Walsh coefficients are the strong tool for investigating of correlation immune functions. Below we explain it more detaily.
Y. Tarannikov / On Correlation Immune Boolean Functions
223
4. Spectral Characterization of Correlation Immune Functions Spectral characterization of correlation immune functions was obtained by Guo-Zhen and Massey [10]: Theorem 1. A Boolean function f on Fn2 is correlation immune of order m if and only if Wf (u) = 0 for all vectors u ∈ Fn2 such that 1 ≤ |u| ≤ m. Sarkar and Maitra [11] deduced other important properties of Walsh coefficients for correlation immune and resilient Boolean functions: Theorem 2. If f is an mth order correlation immune function on Fn2 , m ≤ n − 1, then Wf (u) ≡ 0 (mod 2m+1 ). Moreover, if f is m-resilient, m ≤ n − 2, then Wf (u) ≡ 0 (mod 2m+2 ). So, Walsh coefficients are • values that define nonlinearity of a function; • important tool to investigate the properties of correlation immune and resilient functions. Sarkar, Maitra, Tarannikov, Zhang, Zheng grouped in three independent research teams obtained [11,12,13] the upper bound on the nonlinearity of correlation immune and resilient Boolean functions. Namely, for an n-variable mth order correlation immune Boolean function f , n − m ≥ 1, the inequality nl(f ) ≤ 2n−1 − 2m holds. Moreover, if f is balanced (i.e., m-resilient), n − m ≥ 2, then nl(f ) ≤ 2n−1 − 2m+1 . Additionally, the next facts were established by these teams: • If f is m-resilient, m ≤ (n/2) − 2, then nl(f ) ≤ 2n−1 − 2(n/2−1) − 2m+1 [11]. • If f is m-resilient, and nl(f ) = 2n−1 − 2m+1 then deg(f ) = n − m − 1 [12]. • If f is m-resilient, and nl(f ) = 2n−1 − 2m+1 then f is plateaued [11,13]. 5. Bent Function and Plateaued Functions A Boolean function is called bent if the values of all its Walsh coefficients take one of two values ±2n/2 . Bent functions have the maximum possible nonlinearity 2n−1 − 2(n/2)−1 . A Boolean function f is called plateaued if its Walsh coefficients take exactly three possible values: 0 and ±2c for some integer c. The term “plateaued function” was introduced by Zheng and Zhang [14]. The plateaued functions have a big interest for the studying of bent functions (for example, by the reason that the decomposition of a bent function f = (xi + 1)f1 + xi f2 gives two plateaued functions f1 and f2 ) and by the reason that many cryptographically important functions are plateaued (for example, m-resilient functions of n variables with the maximum possible nonlinearity 2n−1 − 2m+1 ). It appears that many functions with optimal cryptographic parameters are plateaued. In particular, resilient functions that achieve the upper bound on nonlinearity mentioned above, must be plateaued.
224
Y. Tarannikov / On Correlation Immune Boolean Functions
6. Constructions of Correlation Immune Functions with Maximum Possible Nonlinearity Recall that upper bound on nonlinearity [11,12,13] implies that for any n-variable mth order correlation immune Boolean function f , n−m ≥ 1, the inequality nl(f ) ≤ 2n−1 − 2m holds. Moreover, if f is balanced (i.e., m-resilient), n − m ≥ 2, then nl(f ) ≤ 2n−1 − 2m+1 . Tarannikov [15] had constructed n-variable m-resilient Boolean functions with the maximum possible nonlinearity 2n−1 − 2m+1 for 0.6n − 1 ≤ m ≤ n − 2. In [16] Fedorova and Tarannikov constructed n-variable m-resilient Boolean functions with the maximum possible nonlinearity 2n−1 − 2m+1 for m ≥ 0.5902 . . . n(1 + o(1)). At the same time they proved that using their method it is impossible to improve this result. Existence of such functions for 0.5n − 1.5 ≤ m ≤ 0.5902 . . . n(1 + o(1)) remains an open problem without any advances since 2001. At the same time, for some new concrete (small) values of parameters the functions with these parameters were found recently. The constructing of m-resilient functions on Fn2 with the maximum possible nonlinearity: Resilient functions with maximum possible nonlinearity for n = 7, m = 2, nl = 56 were found by Pasalic, Maitra, Johansson and Sarkar [17]. Resilient functions with maximum possible nonlinearity for n = 9, m = 3, nl = 240 were found by Saber, Faisal, Uddin, Youssef [18] by means of an advanced heuristic search. Later other function with the same parameters were found by Kavut, Yucel and Maitra in [19] by a heuristic search in the framework of some theoretical approach. Khalyavin [20] had found new functions with the same parameters by an exhaustive search in the class of functions symmetric under cyclic shifts of the first 7 variables. Also he used advanced facts for the strong reduction of a search. Now the smallest open case for existence of functions with the maximal possible nonlinearity is n = 11, m = 4. The most usual methods to construct functions with concrete parameters are given in the next scheme. Methods to construct functions with concrete parameters: • algebraic construction; • heuristic search, the problem is to choose: ∗ method of a search technique, ∗ space of search, ∗ cost function; • search in a specific class: ∗ ∗ ∗ ∗
all functions, almost Boolean functions, rotation symmetric functions, other classes of functions.
At all ways the effective using of strong properties of functions is helpful.
Y. Tarannikov / On Correlation Immune Boolean Functions
225
7. Nonlinearity of Unbalanced Correlation Immune Functions Zheng and Zhang [13] proved that if 0.6n−0.4 ≤ m ≤ n−1 then nl(f ) ≤ 2n−1 −2m+1 . Botev [21] improved their result. He proved the next fact: Theorem 3. Let f be an unbalanced mth order correlation immune function on Fn2 , i is be a positive integer. If
i−1 π j 1 n 2i − 1 1 log2 n + + e8/9 − i, log2 m≥ + + log2 2 2 4 n 2 2 j=1 then nl(f ) ≤ 2n−1 − 2m+i . It appears [22] that if f is mth order correlation immune unbalanced function on Fn2 with the maximum possible nonlinearity 2n−1 − 2m then • f is plateaued; • f achieves the Siegenthaler’s bound; • the spectrum support of f is symmetric and can be calculated efficiently. Taking in a view the Parseval’s Identity it is possible to prove the nonexistence of mth order correlation immune functions of n variables with the nonlinearity 2n−1 − 2m for all parameters excepting m = 2i , n = 2i+1 + 1, or m = 2i + 1, n = 2i+1 + 2, i = 1, 2, 3, . . . Such functions with maximum possible nonlinearity do exist for m = 2, n = 5 and m = 3, n = 6 but are not known for any other values of parameters. The smallest open case is m = 4, n = 9, nl = 240. It is an open problem: whether some other values m and n are possible?
8. Autocorrelation Characteristics of Boolean Functions and Correlation Immunity Let f be a Boolean function on Fn2 . For each u ∈ Fn2 the autocorrelation coefficient of the function f at the vector u is defined as Δf (u) =
(−1)f (x)+f (x+u) .
x∈Fn 2
Zhang and Zheng [23] proposed the idea of Global Avalanche Characteristics (GAC). One of important indicators of GAC is the absolute indicator. Definition 3. Let f be a Boolean function on Fn2 . The absolute indicator of f is defined as Δf =
max
x∈Fn 2 \{0}
|Δf (x)|.
226
Y. Tarannikov / On Correlation Immune Boolean Functions
9. Bounds for the Absolute Indicator of a Resilient Functions Zhang and Zheng in 2000 [13] proved that Δf ≥ 2n /2n−m − 1. the next fact was proved in [21]: Theorem 4. Let f be an m-resilient Boolean function over Fn2 , m > (n − 3)/2. Then Δf ≥
2m − n + 3 n+1
2n .
This bound is strong for high m.
10. Upper Bound for the Number of Nonlinear Variables in High Order Resilient Functions The next theorem was proved in [21]: Theorem 5. Let f be an (m = n − k)-resilient Boolean function on Fn2 , k ≥ 2, and deg(f, xi ) ≥ 2 for each i = 1, . . . , n. Then n ≤ (k − 1)2k−2 . Thus, the number of nonlinear variables in high order resilient functions is restricted. The proof of this Theorem 5 is based on the next technical lemma. Technical Lemma. Let f be a Boolean function on Fn2 , deg(f, xi ) ≥ 2. Then
u∈Fn 2: ui =0
Wf2 (u) ≥ 22n−deg(f )+1 .
We remind briefly the proof of Theorem 5 since it contains important and helpful ideas. We form the matrix B with n column writing in rows of B each binary vector u ∈ Fn2 exactly Wf2 (u) times. ⎛ ∗ ... ⎜∗ . . . ⎜ B = ⎜. . ⎝ .. . .
⎞ ∗ ∗⎟ ⎟ .. ⎟ , .⎠ ∗ ... ∗
22n rows, n columns.
By Parseval’s equality the matrix B contains exactly 22n rows. By Xiao Guo-Zhen– Massey spectral characterization [10] each row of the matrix B contains at most k − 1 zeroes. It follows that the total number of zeroes in B is at most (k −1)22n . By Technical Lemma each column of B contains at least 22n−deg(f )+1 zeroes. Therefore n≤
(k − 1)22n = (k − 1)2deg(f )−1 . 22n−deg(f )+1
Siegenthaler Bound completes the proof of the Theorem 5.
Y. Tarannikov / On Correlation Immune Boolean Functions
227
Tarannikov in [12] constructed an (n − k)-resilient function on Fn2 , n = 3 · 2k−2 − 2, that depends nonlinearly on all its n variables. Thus, the maximum number p(k) of nonlinear variables in an (m = n − k)-resilient Boolean function satisfies 3 · 2k−2 − 2 ≤ p(k) ≤ (k − 1)2k−2 . More exact bound is an open problem. Corollary. Let f be an m-resilient Boolean function on Fn2 . If n ≥ (n − m − 1)2n−m−2 then Δf = 2n . It follows that quadratic m-resilient functions that depend nonlinearly on all n variables exist if and only if m ≤ n/2 − 1. Korolev [21] described all quadratic functions that achieve this bound: Theorem 6. Let f (x1 , . . . , x2n ) be an (2n)-variable (n − 1)-resilient function that depends quadratically on all n its variables. Then there exists a quadratic function g(y1 , . . . , yn ) such that σ
f (x1 , . . . , x2n ) = g(x1 ⊕ xn+1 , . . . , xn ⊕ x2n ) ⊕ x1 ⊕ · · · ⊕ xn . σ
The symbol = means that the left-hand side function can be represented in a form given by the right-hand side up to permutation of variables.
11. The Number of High Order Correlation Immune Functions Denote by A(k, i) the number of (i − k)-resilient Boolean functions on Fi2 each depending nonlinearly on all its i variables (a fictitious dependence is allowed). By Theorem 5 above the number R(n, n − k) of (n − k)-resilient functions on Fn2 is expressed by the next formula:
n . A(k, i) R(n, n − k) = i i=0 p(k)
The number K(n, n − k) of (n − k)th order correlation immune functions on Fn2 is expressed by the formula: p(k)
K(n, n − k) = 2 + R(n, n − k) = 2 +
i=0
A(k, i)
n i
for n > 3k − 3. (The last boundary is based on the result of Fon Der Flaass [24] formulated below.) It follows that R(n, n − k) ∼ K(n, n − k) ∼
A(k, p(k)) p(k) n . p(k)!
The exact values p(1) = 0, p(2) = 1 are trivial.
228
Y. Tarannikov / On Correlation Immune Boolean Functions
The value p(3) = 4 was found by Camion, Carlet, Charpin and Sendrier in [9]. The value p(4) = 10 was found by Kirienko [25]. The number of (n − 3)th order correlation function on Fn2 is 5 2 K(n, n − 3) = n4 − n3 + n + 4. 3 3 (This formula is a slight modification of the formula given in [9] for a bit different class of functions.) The next formula for the number of (n − 4)th order correlation function on Fn2 K(n, n − 4) =
1 10 7 9 890 8 10903 7 64288 6 953353 5 n + n + n − n + n + n 2 6 9 9 45 45 1341749 4 899881 3 364768 2 1048601 n + n + n − n+4 − 18 18 5 15
for n > 9 was obtained by Kirienko [26] using computer-aided search.
12. The Number of Low Order Correlation Immune Functions It is necessary to mention the asymptotic formulae for the number of small order correlation immune and resilient√functions obtained by Denisov [27]. If n → ∞, m(n) = o( n) then
m ( n−m n n R(n, m) ∼ exp2 2 − log2 π/2 ; − i m 2 i=0 ( R(n, m) π/2 · 2(n/2)−m K(n, m) ∼ G . m 1 + i=2 (i − 1)2 ni
n
13. Nonexistence of Unbalanced Nonconstant Correlation Immune Functions of High Orders The result of the next theorem was an open problem during some time. This open problem was solved recently by Fon Der Flaass. Theorem 7 (Fon Der Flaass [24]). Let f be an unbalanced nonconstant mth order correlation immune Boolean function on Fn2 . Then m ≤ (2/3)n − 1. Moreover, if m = (2/3)n − 1 then f is the (C0 , C1 )-perfect coloring, i.e., there exist positive integers C0 and C1 such that for any x ∈ Fn2 , f (x) = 0, #{y ∈ Fn2 | d(x, y) = 1, f (y) = 1} = C0 , and for any x ∈ Fn2 , f (x) = 1, #{y ∈ Fn2 | d(x, y) = 1, f (y) = 0} = C1 .
Y. Tarannikov / On Correlation Immune Boolean Functions
229
It is known [28] that parameters C0 and C1 satisfy the equality m = (C0 + C1 )/2 − 1. Moreover, any (C0 , C1 )-perfect coloring is mth order correlation immune function for m = (C0 + C1 )/2 − 1 [28]. More advanced results follow from the theory of covering sequences developed by Carlet and Tarannikov [29]. Note that the Fon Der Flaass bound is tight since it is achieved for n = 3s at (for example) the characteristic function of the linear code of codimension 2 with the dual distance 2s.
14. On the Number of Functions with Given Spectrum Support Consider (n − 4)-resilient plateaued functions whose spectrum support has 16 vectors. How many such function have the same spectrum support? Experimental result tells that the answer depends on affine rank of the spectrum support. The affine rank k of the spectrum support Sf E is the dimension of a smallest coset in Fn2 that contains Sf . More detaily, the experiments show that • • • •
if k = 4 then there are 7 · 27 = 896 functions with the spectrum support Sf ; if k = 5 then there are 3 · 27 = 384 functions with the spectrum support Sf ; if k = 6 then there are 1 · 27 = 128 functions with the spectrum support Sf ; if k = 7 then there are 0 functions with the spectrum support Sf .
The same holds for an arbitrary plateaued functions f with |Sf | = 16. where Sf is the spectrum support of f . Open problems are • to prove these experimental facts correctly; • to consider the problem for an arbitrary |Sf |. 15. Some Facts about Affine Rank of Plateaued Functions The next facts were obtained by Tarannikov [30]: • Let f be a plateaued function, |Sf | = 16. Then for the affine rank k of the spectrum support Sf the inequality k ≤ 6 holds. • For any positive integer k such that 2h ≤ k ≤ 2h+1 − 2 there exists a plateaued function with a spectrum support of cardinality 4h and the affine rank k. • Let f be a plateaued function, |Sf | = 4h . Then for the affine rank k of a spectrum support Sf the inequality k ≤ 22h−1 − 2h−1 + h holds. Hypothesis. For any positive integer h the maximum possible affine rank of a plateaued function with a spectrum support of cardinality 4h is 2h+1 − 2.
230
Y. Tarannikov / On Correlation Immune Boolean Functions
References [1] T. Siegenthaler, Correlation immunity of nonlinear combining functions for cryptographic applications, IEEE Transactions on Information theory IT-30(5) (1984), 776–780. [2] B. Chor, O. Goldreich, J. Håstad, J. Friedman, S. Rudich, and R. Smolensky, The bit extraction problem or t-resilient functions, Proc. of IEEE Symposium on Foundations of Computer Science 26 (1985), 396– 407. [3] C.R. Rao, Factorial experiments derivable from combinatorial arrangements of array, Jour. Royal Statist. Soc. 9 (1947), 128–139. [4] J. Friedman, On the bit extraction problem, Proc. of 33rd IEEE Symposium on Foundations of Computer Science, 1992, 314–319. [5] J. Bierbrauer, Bounds on orthogonal arrays and resilient functions, Journal of Combinatorial Designs 3 (1995), 179–183. [6] A.S. Hedayat, N.J.A. Sloane, and J. Stufken, Orthogonal Arrays: Theory and Applications, New York, Springer-Verlag, 1999. [7] F.J. MacWilliams, A theorem on the distribution of weights in a systematic code, Bell Syst. Tech. J. 42 (1963), 79–94. [8] Ph. Delsarte, Four fundamental parameters of a code and their combinatorial significance, Information and Control 23(5) (1973), 407–438. [9] P. Camion, C. Carlet, P. Charpin, and N. Sendrier, On correlation immune functions, Proc. of Crypto’91, Lecture Notes in Computer Science 576 (1991), 86–100. [10] X. Guo-Zhen and J. Massey, A spectral characterization of correlation immune combining functions, IEEE Transactions on Information Theory 34(3) (1988), 569–571. [11] P. Sarkar and S. Maitra, Nonlinearity bounds and constructions of resilient Boolean functions, Proc. of Crypto’2000, Lecture Notes in Computer Science 1880 (2000), 515–532. [12] Yu. Tarannikov, On resilient Boolean functions with maximal possible nonlinearity, Proc. of Indocrypt’2000, Lecture Notes in Computer Science 1977 (2000), Springer-Verlag, 19–30. [13] Y. Zheng and X.-M. Zhang, Improved upper bound on the nonlinearity of high order correlation immune functions, Proc. of 7th Annual International Workshop on Selected Areas in Cryptography (SAC’2000), Lecture Notes in Computer Science 2012 (2001), Springer-Verlag, 264–274. [14] Yu. Zheng and X.-M. Zhang, Plateaued Functions, Proc. of the Second International Conference on Information and Communication Security (ICICS’99), Sydney, November 1999, Lecture Notes in Computer Science 1726, Springer-Verlag, 284–300. [15] Yu. Tarannikov, New constructions of resilient Boolean functions with maximal nonlinearity, Proc. of Fast Software Encryption, 8th International Workshop (FSE’2001), Yokohama, Japan, April 2–4, 2001, Revised Papers, Lecture Notes in Computer Science 2355 (2002), 66–77. [16] M. Fedorova and Yu. Tarannikov, On the constructing of highly nonlinear resilient Boolean functions by means of special matrices, Proc. of Indocrypt’2001, Chennai, India, December 16–20, 2001, Lecture Notes in Computer Science 2247 (2001), Springer-Verlag, 254–266. [17] E. Pasalic, S. Maitra, T. Johansson, and P. Sarkar, New constructions of resilient and correlation immune Boolean functions achieving upper bounds on nonlinearity, Proc. of International Workshop on Coding and Cryptography (WCC’2001), Paris, January 8–12, 2001, Electronic Notes in Discrete Mathematics 6, Elsevier Science, 2001. [18] Z. Saber, M. Faisal Uddin, and A. Youssef, On the existence of (9, 3, 5, 240) resilient functions. IEEE Transactions on Information Theory 52(5) (2006) 2269–2270. [19] S. Kavut, M. Yucel, and S. Maitra, Construction of Resilient Functions by the Concatenation of Boolean Functions Having Nonintersecting Walsh Spectra, Proc. of Third International Workshop on Boolean Functions: Cryptography and Applications, BFCA’07, May 2–3, 2007, Paris, France. [20] A. Khalyavin, The constructing of 3-resilient Boolean functions of 9 variables with nonlinearity 240, Cryptology ePrint Archive, Report 2007/212, http://eprint.iacr.org/. [21] Yu. Tarannikov, P. Korolev, and A. Botev, Autocorrelation coefficients and correlation immunity of Boolean functions, Proc. of Asiacrypt’2001, Gold Coast, Australia, December 9–13, 2001, Lecture Notes in Computer Science 2248 (2001), Springer-Verlag, 460–479. [22] Yu. Tarannikov, Numerical characteristics of Boolean functions, Discrete mathematics and its applications. The book of lectures at youth scientific schools in discrete mathematics and its applications, Moscow State University 1 (2001), 129–144 (in Russian).
Y. Tarannikov / On Correlation Immune Boolean Functions
231
[23] X.-M. Zhang and Yu. Zheng, GAC—The Criterion for Global Avalanche Characteristics of Cryptographic Functions, Journal of Universal Computer Science 1(5) (1995), 316–333. [24] D.G. Fon Der Flaass, A bound on correlation immunity, Siberian Electronic Mathematical Reports (http://semr.math.nsc.ru) 4 (2007), 133–135. [25] Yu. Tarannikov and D. Kirienko, Spectral analysis of high order correlation immune functions, Cryptology ePrint Archive, Report 2000/050, http://eprint.iacr.org/. [26] D.P. Kirienko, On the number of (n − 4)th order correlation immune and resilient Boolean functions. Proc. of VIII international workshop “Discrete mathematics and applications”, February 2–6, 2004, 421–424 (in Russian). [27] O.V. Denisov, A local limit theorem for the distribution of a part of the spectrum of a random binary function, Discrete Mathematics and Applications 12(1) (2000), 82–95. [28] B. Courteau and A. Montpetit, Dual distances of completely regular codes, Discrete Mathematics 89 (1991), 7–15. [29] C. Carlet, and Yu. Tarannikov, Covering sequences of Boolean functions and their cryptographic significance, Designs, Codes and Cryptography 25 (2002), 263–279. [30] Yu. Tarannikov, On values of the affine rank of the support of spectrum of a plateaued function, Discrete Mathematics and Applications 16(4) (2006), 401–421. [31] S. Maitra and P. Sarkar, Highly nonlinear resilient functions optimizing Siegenthaler’s Inequality, Proc. of Crypto’99, Lecture Notes in Computer Science 1666 (1999), 198–215.
232
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-232
A Cyclic Code Approach of Bent Functions over F2 and Z4 Jacques WOLFMANN 1 Université du Sud Toulon-Var, France Abstract. We present a description of bent functions by means of Cyclic Codes over F2 and Z4 (preliminary report). Keywords. Bent function, cyclic code over F2 , cyclic code over Z4
Introduction Bent functions are the Boolean functions whose Walsh coefficients have constant magnitude and were introduced by Rothaus in [1]. They are interesting for coding theory, cryptology and well-correlated binary sequences and the complete classification of bent functions is still an open problem. Classicaly, bent functions are studied by means of character sums, Fourier transform and group algebra. There exist connexions with Coding Theory, for example with the Kerdock Code. The Kerdock code Kt (see [2] or [3]) is a binary non-linear code of length 22t of cardinality 24t which contains R1 (2t) (Reed–Muller of order one) with the following property: If c ∈ Kt and c ∈ / R1 (2t), then c is the characteristic vector of a bent function f . If f and g are such bent functions, then f +g is an affine linear form or a bent function. It was first proved that there is a version of the Kerdock code as a binary non-linear doubly extended cyclic code [4]. By using the Gray map and the Nechaev–Gray which are maps from Zn4 into F2n 2 it was also proved that the Kerdock code the Gray image of an extended cyclic code over Z4 [5], and that the doubly extended cyclic code version of the Kerdock code is the Nechaev–Gray image of an extended cyclic code over Z4 ([6] and [7]). Trying to generalize these facts, the purpose of this work is to consider the following questions: is it possible to describe every bent function by using binary cyclic codes? What about vectors over Z4 whose Gray or Nechaev–Gray images are vector representations of bent functions? This paper is a preliminary report. The results are given without proofs which will appear in a forthcoming paper. 1 GRIM, Université du [email protected].
Sud
Toulon-Var,
83957
La
Garde
Cedex,
France;
E-mail:
J. Wolfmann / A Cyclic Code Approach of Bent Functions over F2 and Z4
233
1. Definitions and Notations 1.1. Boolean Functions and Cyclic Codes We first recall the usual definitions and notations. • R is a commutative ring, u ∈ N∗ , and AR (u) = R[x]/(xu − 1). The members of AR (u) are the polynomials a0 + a1 x + · · · + au−1 xu−1 of R[x] and the calculations are made modulo xu − 1. • r(x)! denotes the principal ideal of AR (u) generated by r(x). • The polynomial representation P of Ru in AR (u) is defined by P(a0 , a1 , . . . , ai , . . . , au−1 ) =
u−1
ai xi .
i=0
Special notations: • If R = Z4 = Z/4Z then r(x)! is denoted by r(x)!u4 . • If R = Z/2Z = F2 then r(x)! is denoted by r(x)!u2 . • A cyclic code of length u over R is a shift invariant sub-module of Ru . A subset C of Ru is a cyclic code of length u over R if and only if its polynomial representation is an ideal of AR (u). • A k-variable Boolean function is a map f from Fk2 into F2 . • The support of f is S(f ) = {v ∈ Fk2 | f (v) = 1}. • The complement of f is f defined by f (x) = f (x) = 1 + f (x) (modulo 2). • The vector (or truth table) Vf of f is defined as follows. If Fk2 = {v 0 , v 1 , . . . , v N −1 },
N = 2k ,
then Vf = (f (v 0 ), f (v 1 ), . . . , f (v N −1 )). Important remark: Vf depends on the bijection i → v i . • Hamming distance: d(f, g) = dH (Vf , Vg ) (dH : classical Hamming distance of k F22 ). • The weight w(f ) of f is defined by: w(f ) = w(Vf ) = #{i | f (v i ) = 1}. • Walsh coefficients of f . Let ·, ·! be the usual inner product in Fk2 . For every u ∈ Fk2 the Walsh coefficient cu is: cu = cu (f ) =
(−1)f (x)⊕u,x .
x∈Fk 2
1.2. A Special Representation of Boolean Functions We now introduce a special choice of the map i → v i which is used for the vector of a Boolean function.
234
J. Wolfmann / A Cyclic Code Approach of Bent Functions over F2 and Z4
From now on we identify Fk2 with the finite field F2k which is identified with F2 × F2k−1 . Define n = 2k−1 − 1 and let α be a primitive root of F2k−1 . We choose a special description of F2k = {v0 , v1 , . . . , vn , . . . , v2n+1 } with: v0 = (0, 1),
v1 = (0, α),
v2 = (0, α2 ), . . . , vn−1 = (0, αn−1 ), 2
vn+1 = (1, 1), vn+2 = (1, α), vn+3 = (1, α ), . . . , v2n = (1, α
n−1
vn = (0, 0),
), v2n+1 = (1, 0).
If f is a k-variable Boolean function, the vector of f now is: V (f ) = (f (v0 ), . . . , f (vn−1 ), f (vn ), f (vn+1 ), . . . , f (v2n ), f (v2n+1 )).
2. Bent Functions let F(k) be the set of k-variable Boolean functions. Let A(k) be the subset of affine linear functions. Definition 1. f ∈ F(k) is a bent function if d(f, A(k)) = max d(g, A(k))). g∈F (k)
In this work we consider bent function only if k is even. Proposition 1. Let f be a k-Boolean function with k = 2t. f is a bent function if and only if |cu | = 2t for all u ∈ F2t 2 (cu = Walsh coefficient). Proposition 2. If f is a 2t-variable bent function, then there exists ǫ ∈ {−1, +1} such that w(f ) = 22t−1 + ǫ2t−1 . An old open problem is the classification of bent functions, particularly if k is even. 2.1. A Useful Lemma and Consequences Lemma 1. Let be f a k-bent function and let e be in Fk2 . Let8 g be a linear form9of Fk2 such that g(e) = 1. Then there exists a k-bent function φ in f, f , h = f ⊕ g, h such that φ(0) = φ(e) = 0. The proof is obvious since the complement of a bent function and the sum of a bent function with a linear form are bent functions. Strategy: Lemma 1 shows that we can restrict the study to bent functions f such that f (0) = f (e) = 0. For further use we choose e = (1, 0, 0, . . . , 0). Notation. B− (k) is a set of k-bent functions f such that f (0, 0, . . . , 0) = f (1, 0, . . . , 0) = 0.
J. Wolfmann / A Cyclic Code Approach of Bent Functions over F2 and Z4
235
2.2. Polynomial Representation of B − (k) Let f be a k-Boolean function such that f (0, 0, . . . , 0) = f (1, 0, . . . , 0) = 0, k = 2t, n = 2k−1 − 1. A special case is f ∈ B− (k). By using the special representation introduced above, the vector representations of f is V = (f (v0 ), . . . , f (vn−1 ), 0, f (vn+1 ), . . . , f (v2n ), 0). Define the reduced vector of f as: V − = (f (v0 ), . . . , f (vn−1 ), f (vn+1 ), . . . , f (v2n )) = (p0 , p1 , . . . , pn−1 , q0 , q1 , . . . , qn−1 ). Definition 2. The F2 -polynomial representations Pf (x) of f is the polynomial repren−1 n−1 sentation of V − . p(x) = i=0 pi xi and q(x) = i=0 qi xi are the two polynomials in F2 [x]/(xn − 1), such that Pf (x) = p(x) + xn q(x). 3. Special Divisors of xn − 1 over F2 r−1 Notation. If i = j=0 ǫj 2j ∈ N then w2 (i) is the weight of (ǫ0 , ǫ1 , . . . , ǫj , . . . , ǫr−1 ) (binary weight of i). Let α be a primitive root of F22t−1 . For further use, we consider the following divisors of xn − 1: • mi (x): minimal polynomial of αi over F2 . • πj (x): product, without repetition, of the mi (x) such that w2 (i) = j. / • If u ≥ 1: Mu (x) = 1≤w2 (j)≤u πj (x), M0 (x) = 1.
Example 1. Let t = 3, n = 31. Then
x31 − 1 = m0 (x)m1 (x)m3 (x)m5 (x)m7 (x)m11 (x)m15 (x); w2 (i) = 1 ⇐⇒ i = 1,
w2 (i) = 2 ⇐⇒ i = 3, 5,
w2 (i) = 3 ⇐⇒ i = 7, 11, π1 (x) = m1 (x),
π2 (x) = m3 (x)m5 (x),
π3 (x) = m7 (x)m11 (x), M1 (x) = m1 (x),
w2 (i) = 4 ⇐⇒ i = 15; π4 (x) = m15 (x);
M2 (x) = m1 (x)m3 (x)m5 (x),
M3 (x) = m1 (x)m3 (x)m5 (x)m7 (x)m11 (x);
236
J. Wolfmann / A Cyclic Code Approach of Bent Functions over F2 and Z4
4. Result on the F2 -Polynomial Special Representation of Bent Functions Definition 3. The permutation σ[n] of F2 [x]/(xn − 1) is defined by σ[n] (u(x)) = xu(x) (shift modulo xn − 1). Proposition 3. Let Pf (x) = p(x) + xn q(x) be the polynomial representation of f ∈ B − (k) with p(x) and q(x) in F2 [x]/(xn − 1). Then
1) q(x) + xn p(x) is the polynomial representation of a bent function of B− (k); 2) σ[n] (p(x)) + xn σ[n] (q(x)) is the polynomial representation of a bent function of B− (k).
Definition 4. If f is a (k)-Boolean functions described with the special representation, then we define two (k − 1)-Boolean functions fp and fq by fp (αi ) = f (0, αi ), fp (0) = f (0, 0)
and
fq (αi ) = f (1, αi ), fq (0) = f (1, 0).
Notation. If u ∈ F2k−1 , then cu (p) and cu (q) are the Walsh coefficients of fp and fq .
Theorem 1. Let f be a 2t-Boolean function with f (0, 0) = f (1, 0) = 0. f is a bent function if and only if 1) for all u ∈ F2k−1 cu (p) and cu (q) are in {−2t , 0, 2t }; 2) |cu (p)| + |cu (q)| = 2t .
Remark 1. This theorem is a cyclic version of a result by Canteaut and Charpin [8] (also implicit in Courteau and Wolfmann [9]). Remark 2. (x − 1)Mi (x)!n2 form a chain of ideals in F2 [x]/(xn − 1): (x − 1)Mt−2 (x)!n2 ⊃ (x − 1)Mt−1 (x)!n2 ⊃ (x − 1)Mt (x)!n2
⊃ (x − 1)Mt+1 (x)!n2 ⊃ · · · ⊃ (x − 1)M2t−3 (x)!n2 .
(x − 1)M2t−3 (x)!n2 is the Simplex Code and (x − 1)M2t−2 (x)!n2 = {0}. This gives rise to a classification of bent functions of B − (k).
Theorem 2. Let f be in B− (k), k = 2t, n = 22t−1 − 1, w(f ) = 22t−1 + ǫ2t−1 with ǫ ∈ {−1, +1}. The polynomial representations of f is Pf (x) = p(x) + xn q(x). Define r(x) = p(x) ⊕ q(x). Then there exists i, t − 2 ≤ i ≤ 2t − 4 such that (a) p(x) and q(x) belong to (x − 1)Mi (x)!n2 and not to (x − 1)Mj (x)!n2 if i < j; (b) r(x) belongs to (x − 1)Mi+1 (x)!n2 ; (c) Pf (x) belongs to (x − 1)Mi+1 (x)!2n 2 .
Weights: w(p(x)) = w(r(x)) = 22t−2
and w(q(x)) = 22t−2 + ǫ2t−1
or w(p(x)) = 22t−2 + ǫ2t−1
and
w(q(x)) = w(r(x)) = 22t−2 .
J. Wolfmann / A Cyclic Code Approach of Bent Functions over F2 and Z4
237
Remark 3 (see [10]). Mi (x)!n2 is the punctured Reed–Muller code R(i + 2, 2t − 1)∗ . Mi+1 (x)!n2 is the punctured Reed–Muller code R(i + 3, 2t − 1)∗ . Therefore p(x) and q(x) are in the even weight subcode of R(i + 2, 2t − 1)∗ and r(x) is in the even weight subcode of R(i + 3, 2t − 1)∗ . 4.1. Examples Let t = 3 ,k = 6, n = 31. If f ∈ B− (6) then w(f ) = 22t−1 + ǫ2t−1 = 32 + 4ǫ with ǫ ∈ {−1, +1}. x31 − 1 = m0 (x)m1 (x)m3 (x)m5 (x)m7 (x)m11 (x)m15 (x) = (x − 1)(x5 + x2 + 1)(x5 + x4 + x3 + x2 + 1)(x5 + x4 + x2 + 1) × (x5 + x3 + x2 + x + 1)(x5 + x4 + x3 + x + 1)(x5 + x3 + 1), Mt−2 (x) = M1 (x) = m1 (x),
Mt−1 (x) = M2 (x) = m1 (x)m3 (x)m5 (x).
Example 2. Definition of f . Let γ be a primitive root of F64 , γ 6 + γ + 1 = 0, L = F∗8 = {1, γ 9 , γ 18 , γ 27 , γ 36 , γ 45 , γ 54 }. The support of f is L ∪ γL ∪ γ 2 L ∪ γ 3 L. Thus f is a “Partial-Spread Bent Function” (Dillon) (see [11]). (1, 0, 0, . . . , 0) is the vector representation of γ 5 and 0 and γ 5 are not in the support of f . Thus f ∈ B− (6). w(f ) = 28, ǫ = −1. We find that Pf (x) = p(x) + x31 q(x) with p(x) = x28 + x26 + x25 + x24 + x23 + x21 + x16 + x15 + x13 + x12 + x8 + x5 + x3 + x2 + x + 1, q(x) = x30 + x28 + x24 + x21 + x20 + x18 + x17 + x16 + x13 + x12 + x11 + x4 , r(x) = x30 + x26 + x25 + x23 + x20 + x18 + x17 + x15 + x11 + x8 + x5 + x4 + x3 + x2 + x + 1. Weights: w(p(x)) = w(r(x)) = 22t−2 = 16,
w(q(x)) = 22t−2 − 2t−1 = 12.
We find: p(x) = A(x)(x − 1)M1 (x) with A(x) = x22 + x21 + x18 + x15 + x13 + x12 + x10 + x9 + x8 + x7 + x6 + 1, q(x) = B(x)(x − 1)M1 (x) with B(x) = x24 + x23 + x21 + x19 + x16 + x15 + x12 + x9 + x8 + x6 + x2 + x, r(x) = C(x)(x − 1)M2 (x) with C(x) = x14 + x13 + x12 + x11 + x10 + x9 + x6 + x5 + x3 + x2 + x + 1,
238
J. Wolfmann / A Cyclic Code Approach of Bent Functions over F2 and Z4
Pf (x) = D(x)(x − 1)M2 (x) with D(x) = x45 + x44 + x42 + x41 + x39 + x38 + x37 + x34 + x32 + x31 + x28 + x27 + x26 + x25 + x23 + x21 + x19 + x18 + x17 + x15 + x14 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + x2 + x + 1. Remark 4. p(x) and q(x) are in (x − 1)M1 (x)! and not in (x − 1)Mj (x)! for j > 1; r(x) is in (x − 1)M2 (x)! and not in (x − 1)Mj (x)! for j > 2. The integer i of Theorem 2 is t − 2 = 1. Pf (x) is in (x − 1)M2 (x)!62 2 . Example 3. Let t = 3 and f be the nondegenerate quadratic form defined by f (x1 , x2 , x3 , x4 , x5 , x6 ) =
xi xj .
1≤i 0. Further one can verify that #If = 1 if and only if f is affine. 3.6. Algebraic Degree The algebraic degree (also nonlinear order) of a function f , denoted by deg(f ), has been defined in Definition 1. Higher algebraic degrees are desirable in cryptography.
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
249
3.7. Linear Structures and Linearity Let f be a function on Vn . α ∈ Vn is called a linear structure of f if |Δ(α)| = 2n (i.e., f (x) ⊕ f (x ⊕ α) is a constant). For any function f , we have Δ(α0 ) = 2n , where α0 is the zero vector on Vn . It is easy to verify that the set of all linear structures of a function f form a linear subspace of Vn , whose dimension is called the linearity of f , and denoted by Lf . We note that nonzero linear structures are considered cryptographically undesirable. Lemma 10. If the linearity of f is p, then there exists a nonsingular n × n matrix B over GF(2) such that f (xB) = g(y) ⊕ h(z), where x = (y, z), y ∈ Vq , z ∈ Vp , p + q = n and g is a function on Vq that has no nonzero linear structures, and h is a linear function on Vp .
4. Nonsingular Affine Transformations, Affine Translates, and Some Special Functions Let f be a function on Vn , B be a nonsingular n×n matrix over GF(2) and β be a vector in Vn . Set g(x) = f (xB ⊕ β). Then g is called a nonsingular affine transformation of f on variables. It turns out that nonlinear properties of a Boolean function are in general invariable under a nonsingular affine transformation. Lemma 11. Let f be a function on Vn and g(x) = f (xB ⊕ β) where B is a nonsingular n × n matrix and β is a vector in Vn . Then (i) Nf = Ng , (ii) deg(f ) = deg(g), (iii) f is balanced if and only if g is balanced, (iv) #Rg = #Rf and Rg = Rf B −1 , where XB = {αB | α ∈ X}, (v) I∗g = I∗f B T , (vi) σg = σf , (vii) Δg = Δf . Let f be a function on Vn and ψ be an affine function on Vn . Then f ⊕ ψ is called a affine translate of f . Lemma 12. Let f be a function on Vn and φ(x) = β, x!, a linear function on Vn , where β is a vector in Vn . Let g(x) = f (x) ⊕ φ(x) be the affine translate of f . Then (i) Nf = Ng , (ii) deg(f ) = deg(g), (iii) Rg = Rf , (iv) I∗g = α ⊕ I∗f , where β ⊕ X = {β ⊕ γ | γ ∈ X}. The concept of bent functions was first introduced in [14]. Definition 7. A function f on Vn is called a bent function if ξ, ℓi !2 = 2n for every i = 0, 1, . . . , 2n − 1, where ℓi is the ith row of Hn . A bent function on Vn exists only when n is even, and it achieves the maximum nonlinearity 2n−1 − 2n/2−1 . From [14] we have the following: Theorem 1. Let f be a function on Vn . The following statements are equivalent: (i) f is bent, (ii) the nonlinearity of f , Nf , satisfies Nf = 2n−1 − 2n/2−1 , (iii) Δ(α) = 0 for any nonzero α in Vn , (iv) Rf = {0} where 0 is the zero vector in Vn , (v) the matrix of f is an Hadamard matrix. Bent functions have following additional properties [14]:
250
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
Proposition 1. Let f be a bent function on Vn and ξ denote the sequence of f . Then (i) the degree of f is at most n/2, (ii) for any nonsingular n × n matrix B over GF(2) and any vector β ∈ Vp , g(x) = f (xB ⊕ β) is a bent function, (iii) for any affine function ψ on Vn , f ⊕ ψ is a bent function, (iv) 2−n/2 ξHn is the sequence of a bent function, (v) HW(f ) = 2n−1 ± 2n/2−1 . We note that bent functions are not balanced. As a result these functions find few direct applications in cryptography. An interesting theorem of [1] explores a relationship between #I and #R. Theorem 2. For any function f on Vn , we have (#I)(#R) ≥ 2n , where the equality holds if and only if there exists a nonsingular n × n matrix B over GF(2) and a vector β ∈ Vn such that f (xB ⊕ β) = g(y) ⊕ h(z), where x = (y, z), x ∈ Vn , y ∈ Vp , z ∈ Vq , p + q = n, g is a bent on Vp and h is a linear function on Vq . Based on the above theorem, the concept of partially-bent functions was also introduced in the same paper [1]. Definition 8. A function on Vn is called a partially-bent function if (#I)(#R) = 2n . One can see that partially-bent functions include both bent functions and affine functions. Applying Theorem 2 together with properties of linear structures, or using Theorem 2 of [15] directly, we have Proposition 2. A function f on Vn is a partially-bent function if and only if each |Δ(α)| takes the value of 2n or 0 only. Equivalently, f is a partially-bent function if and only if R is composed of linear structures. In a later part of this paper we will examine relationships between partially bent functions and plateaued functions.
5. Constructing Highly Nonlinear Balanced Boolean Functions The main goal of this section to show how to construct balanced functions that have extremely high nonlinearity. We start with investigating properties of two sequences obtained by “splitting” a bent sequence. Lemma 13. Let f (x1 , x2 , . . . , x2k ) be a bent function on V2k , η0 be the sequence of f (0, x2 , . . . , x2k ), and η1 be the sequence of f (1, x2 , . . . , x2k ). Then for any affine sequence ℓ of length 22k−1 , we have −2k ≤ η0 , ℓ! ≤ 2k and −2k ≤ η1 , ℓ! ≤ 2k . 5.1. Highly Nonlinear Balanced Functions on V2k Note that an even number n ≥ 4 can be expressed as n = 4t or n = 4t + 2, where t ≥ 1. As the first step towards our goal, we prove Lemma 14. For any integer t ≥ 1 there exists
(i) a balanced function f on V4t such that Nf ≥ 24t−1 − 22t−1 − 2t ,
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
251
(ii) a balanced function f on V4t+2 such that Ng ≥ 24t+1 − 22t − 2t . Proof. (i) Let ℓi be the ith row of H2t where i = 0, 1, . . . , 22t − 1. Then ξ = (ℓ0 , ℓ1 , . . . , ℓ22t −1 ) is a bent sequence of length 24t . Note that except for ℓ0 = (1, 1, . . . , 1), all other ℓi (i = 1, . . . , 22t − 1) are balanced sequences of length 22t . Therefore replacing the all-one (or “flat”) leading sequence ℓ0 with a balanced sequence renders ξ balanced. The crucial idea here is to select a replacement with a high nonlinearity, since the nonlinearity of the resulting function depends largely on that of the replacement. The replacement we select is ℓ∗0 = (e1 , e1 , e2 , . . . , e2t −1 ), where ei is the ith row of Ht . Note that the leading sequence in ℓ∗0 is e1 but not e0 = (1, 1, . . . , 1). ℓ∗0 is a balanced sequence of length 22t , since all ei , i = 1, . . . , 2t − 1, are balanced sequences of length 2t . Replacing ℓ0 by ℓ∗0 , we get a balanced sequence ξ ∗ = (ℓ∗0 , ℓ1 , . . . , ℓ22t −1 ). Denote by f ∗ the function corresponding to the sequence ξ ∗ , and consider the nonlinearity of f ∗ . Let φ be an arbitrary affine function on V4t , and let L be the sequence of φ. By using Lemma 2, L is a row of ±H4t . Since H4t = H2t ⊗ H2t , L can be expressed as L = ±ℓi ⊗ℓj , where ℓi and ℓj are two row of H2t . Assume that ℓi = (a0 , a1 , . . . , a22t −1 ). Then L = ±(a0 ℓj , a1 ℓj , . . . , a22t −1 ℓj ). A property of a Hadamard matrix is that its rows are mutually orthogonal. Hence ℓp , ℓq ! = 0 for p = q. Thus | ξ ∗ , L!| ≤ | ℓ∗0 , ℓj !| + | ℓj , ℓj !| ≤ | ℓ∗0 , ℓj !| + 22t . We proceed to estimate | ℓ∗0 , ℓj !|. Note that H2t = Ht ⊗ Ht , ℓj can be expressed as ℓj = eu ⊗ ev , where eu and ev are rows of Ht . Write eu = (b0 , . . . , b2t −1 ). Then ℓj = (b0 ev , . . . , b2t −1 ev ). Similarly to the discussion for | ξ ∗ , L!|, we have ⎧ t+1 ⎪ ⎨2| e2 , e2 !| = 2 | ℓ∗0 , ℓj !| ≤ | ev , ev !| = 2t ⎪ ⎩ 0
if v = 2, if v = 3, . . . , 2t , if v = 1.
Thus ℓ∗0 , ℓj !| ≤ 2t+1 and hence | ξ ∗ , L!| ≤ 2t+1 + 22t . By using Lemma 7, d(f ∗ , φ) ≥ 24t−1 −(1/2) ξ ∗ , L! ≥ 24t−1 −22t−1 −2t . Since φ is arbitrary, Nf ∗ ≥ 24t−1 −22t−1 −2t . (ii) Now consider the case of V4t+2 . Let ℓi , i = 0, 1, . . . , 22t+1 − 1, be the ith row of H2t+1 . Then ξ = (ℓ0 , ℓ1 , . . . , ℓ22t+1 −1 ) is a bent sequence of length 24t+2 . The replacement for the all-one leading sequence ℓ0 = (1, 1, . . . , 1) ∈ V2t+1 is the following balanced sequence ℓ∗0 = (e2t , e2t +1 , . . . , e2t+1 −1 ), the concatenation of the 2t th, the (2t + 1)th,. . . , and the (2t+1 − 1)th rows of Ht+1 . Let ξ ∗ = (ℓ∗0 , ℓ1 , . . . , ℓ22t+1 −1 ), and let f ∗ the function corresponding to the balanced sequence. Similarly to the case of V4t , let φ be a affine function on V4t+2 and let L be its sequence. L can be expressed as L = ±ℓi ⊗ ℓj where ℓi and ℓj are rows of H2t+1 . Hence | ξ ∗ , L!| ≤ | ℓ∗0 , ℓj !| + | ℓj , ℓj !| ≤ | ℓ∗0 , ℓj !| + 22t+1 . Since ℓ∗0 is obtained by splitting the bent sequence (e0 , e1 , . . . , e2t+1 −1 ), where ei is a row of Ht+1 , by Lemma 13, we have | ℓ∗0 , ℓj !| ≤ 2t+1 . From this it follows that | ξ ∗ , L!| ≤ 2t+1 + 22t+1 and Nf ∗ ≥ 24t+1 − 22t − 2t .
252
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
With the above result as a basis, we consider an iterative procedure to further improve the nonlinearity of a function constructed. Note that an even number n ≥ 4 can be expressed as n = 2m , m ≥ 2, or n = 2s (2t + 1), s ≥ 1 and t ≥ 1. Consider the case when n = 2m , m ≥ 2. We start with the bent sequence obtained by concatenating m−1 m−1 the rows of H2m−1 . The sequence consists of 22 sequences of length 22 . Now we replace the all-one leading sequence with a bent sequence of the same length, which is obtained by concatenating the rows of H2m−2 . The length of the new leading sequence m−2 becomes 22 . It is replaced by another bent sequence of the same length. This replacing process is continued until the length of the all-one leading sequence is 22 = 4. To finish the procedure, we replace the leading sequence (1, 1, 1, 1) with (1, −1, 1, −1). The last replacement makes the entire sequence balanced. By induction on s = 2, 3, 4, . . ., it can be proved that the nonlinearity of the function obtained is at least 22
m
−1
−
m−2 2 1 2m−1 2 + 22 + · · · + 22 + 2 · 22 . 2
The modifying procedure for the case of n = 2s (2t + 1), s ≥ 1 and t ≥ 1, is the same as that for the case of n = 2m , m ≥ 2, except for the last replacement. In this case, the replacing process is continued until the length of the all-one leading sequence is 22t+1 . The last leading sequence is replaced by ℓ∗0 = (e2t , e2t +1 , . . . , e2t+1 −1 ), the second half of the bent sequence (e0 , e1 , . . . , e2t+1 −1 ), where each ei is a row of Ht+1 . Again by induction on s = 1, 2, 3, . . ., it can be proved that the nonlinearity of the resulting function is at least 22
s
(2t+1)−1
−
s−2 1 2s−1 (2t+1) 2 + 22 (2t+1) + · · · + 22(2t+1) + 22t+1 + 2t+1 . 2
We have completed the proof for the following
Theorem 3. For any even number n ≥ 4, there exists a balanced function f ∗ on Vn whose nonlinearity is
Nf ∗
⎧ m m−1 2 −1 2 2m−2 22 2 ⎪ 2 if n = 2m , − (1/2) 2 + 2 + · · · + 2 + 2 · 2 ⎪ ⎪ ⎨ s s−1 ≥ 22 (2t+1)−1 − (1/2) 22 (2t+1) + ⎪ ⎪ s−2 ⎪ ⎩ if n = 2s (2t + 1). 22 (2t+1) + · · · + 22(2t+1) + 22t+1 + 2t+1
5.2. Highly Nonlinear Balanced Functions on V2k+1
Lemma 15. Let f1 be a function on Vs and f2 be a function on Vt . Then f1 (x1 , . . . , xs )⊕ f2 (y1 , . . . , yt ) is a balanced function on Vs+t if either f1 or f2 is balanced. Let ξ1 be the sequence of f1 on Vs and ξ2 be the sequence of f2 on Vt . Then it is easy to verify that the Kronecker product ξ1 ⊗ ξ2 is the sequence of f1 (x1 , . . . , xs ) ⊕ f2 (y1 , . . . , yt ). Lemma 16. Let f1 be a function on Vs and f2 be a function on Vt . Let g be a function on Vs+t defined by
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
253
g(x1 , . . . , xs , y1 , . . . , ys ) = f1 (x1 , . . . , xs ) ⊕ f2 (y1 , . . . , yt ). Suppose that ξ1 and ξ2 , the sequences of f1 and f2 respectively, satisfy ξ1 , ℓ! ≤ P1 and ξ2 , ℓ! ≤ P2 for any affine sequence ℓ of length 2n , where P1 and P2 are positive integers. Then the nonlinearity of g satisfies Ng ≥ 2s+t−1 − (P1 /2) · P2 . Proof. Note that ξ = ξ1 ⊗ ξ2 is the sequence of g. Let φ be an arbitrary affine function on Vs+t and let ℓ be the sequence of φ. Then ℓ can be expressed as ℓ = ±ℓ1 ⊗ ℓ2 where ℓ1 is a row of Hs and ℓ2 is a row of Ht . Since ξ, ℓ! = ξ1 ⊗ξ2 , ±ℓ1 ⊗ℓ2 ! = ± ξ1 , ℓ1 ! ξ2 , ℓ2 !, we have | ξ, ℓ!| = | ξ1 , ℓ1 !| · | ξ2 , ℓ2 !| ≤ P1 · P2 and by using Lemma 7 d(g, φ) ≥ 2s+t−1 − (P1 /2) · P2 . Due to the arbitrariness of φ, Ng ≥ 2s+t−1 − (P1 /2) · P2 . Let ξ1 be a balanced sequence of length 22k that is constructed using the method in the proof of Theorem 3, where k ≥ 2, Let ξ2 be a sequence of length 215 obtained by the method of [16]. Note that the nonlinearity of ξ2 is 16276, and there are 13021 such sequences. Denote by f1 the function corresponding to ξ1 and by f2 the function corresponding to ξ2 . Let f (x1 , . . . , x2k , x2k+1 , . . . , x2k+15 ) = f1 (x1 , . . . , x2k ) ⊕ f2 (x2k+1 , . . . , x2k+15 ). (2) Then Theorem 4. The function f defined by (2) is a balanced function on V2k+15 , k ≥ 2, whose nonlinearity is at least ⎧ m m−1 m−2 2 22 +14 − 108(22 + 22 + · · · + 22 + 2 · 22 ) if 2k = 2m , ⎪ ⎪ ⎨ s s−1 2 (2t+1)+14 − 108 22 (2t+1) + Nf ≥ 2 ⎪ ⎪ s−2 ⎩ if 2k = 2s (2t + 1). 22 (2t+1) + · · · + 22(2t+1) + 22t+1 + 2t+1
Proof. Let ξ = ξ1 ⊗ ξ2 . Then ξ is the sequence of f . Let ℓ be an arbitrary affine sequence of length 22k+15 . Then ℓ = ±ℓ1 ⊗ ℓ2 , where ℓ1 is a linear sequence of length 22k and ℓ2 is a linear sequence of length 215 . Thus
and
⎧ m−1 m−2 2 2 ⎪ + 22 + · · · + 22 + 2 · 22 ⎨2 s−1 s−2 ξ1 , ℓ1 ! ≤ 22 (2t+1) + 22 (2t+1) + · · · + ⎪ ⎩ 22(2t+1) + 22t+1 + 2t+1
if 2k = 2m , if 2k = 2s (2t + 1).
ξ2 , ℓ2 ! ≤ 2 · (214 − 16276) = 216. By Lemma 16, the theorem is true. The nonlinearity of a function on V2k+15 constructed in this section is larger than that obtained by concatenating or splitting bent sequences for all k ≥ 7.
254
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
6. Upper Bounds and Lower Bounds on Nonlinearity Let f be a function on Vn and ξ be the sequence of f . By the equality in Lemma 3 in different ways, we will obtain two upper bounds on the nonlinearity of functions. 6.1. Two Upper Bounds 6.1.1. The First Upper Bound Our first upper bound can be regarded as a straightforward application of Lemma 3. For simplicity, write η ∗ = (Δ(α0 ), Δ(α1 ), . . . , Δ(α2n −1 )) and ξ ∗ = ( ξ, ℓ0 !2 , . . . , ξ, ℓ2n −1 !2 ). Then the equality in Lemma 3 is simplified to η ∗ Hn = ξ ∗ . This causes 2n −1 2n −1 4 (η ∗ Hn )(η ∗ Hn )T = ξ ∗ ξ ∗T , i.e., 2n j=0 Δ2 (αj ) = j=0 ξ, ℓj ! . Thus there n 2 −1 2 exists a j0 , 0 ≤ j0 ≤ 2n − 1, such that ξ, ℓj0 !4 ≥ j=0 Δ (αj ). Note that n Δ(α0 ) = Δ(0) = 2 . Hence from Lemma 7, we have Theorem 5. For any function f on Vn , the nonlinearity of f satisfies H I n −1 2 I 1 n−1 4 2n J 2 + Δ2 (αj ). − Nf ≤ 2 2 j=1
It is easy to verify that the bound in Theorem 5 does not exceed the well-known bound 2n−1 − 2n/2−1 . In addition, as the equality holds if f is bent, the bound is tight. 6.1.2. The Second Upper Bound In order to derive the second upper bound on nonlinearity, we generalize the equality in Lemma 3 in the following direction. For any integer t, 0 ≤ t ≤ n, rewrite the equality in Lemma 3 as (Δ(α0 ), Δ(α1 ), . . . , Δ(α2n −1 ))(Hn−t × Ht ) = ( ξ, ℓ0 !2 , . . . , ξ, ℓ2n −1 !2 ) where × denotes the Kronecker product. 2t −1 Now set σj = k=0 ξ, ℓj2t +k !2 where j = 0, 1, . . . , 2n−t − 1. Let e = (1, . . . , 1) be the all-one sequence of length 2t and I denote the identity matrix of order 2n−t . Then (Δ(α0 ), Δ(α1 ), . . . , Δ(α2n −1 ))(Hn−t × Ht )(I × eT ) = ( ξ, ℓ0 !2 , . . . , ξ, ℓ2n −1 !2 )(I × eT ). Note that (Hn−t × Ht )(I × eT ) = (Hn−t I) × (Ht eT ) and Ht eT = (2t , 0, . . . , 0)T . Hence (Δ(α0 ), Δ(α1 ), . . . , Δ(α2n −1 ))(Hn−t × (2t , 0, . . . , 0)T ) = (σ0 , σ1 , . . . , σ2n−t −1 )
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
255
and 2t (Δ(α0 ), Δ(α2t ), Δ(α2·2t ), . . . , Δ(α(2n−t −1)2t ))Hn−t = (σ0 , σ1 , . . . , σ2n−t −1 ). Thus we have proved the following result: Lemma 17. Let f be a function on Vn and ξ be the sequence of f . For any integer t, 2t −1 0 ≤ t ≤ n, set σj = k=0 ξ, ℓj2t +k !2 , where j = 0, 1, . . . , 2n−t − 1. Then 2t (Δ(α0 ), Δ(α2t ), Δ(α2·2t ), . . . , Δ(α(2n−t −1)2t ))Hn−t
(3)
= (σ0 , σ1 , . . . , σ2n−t −1 ).
We can see that (3) is more general than the equality in Lemma 3, by noting the fact that the two equations become identical when t = 0. Now compare the jth components in the two sides of (3), we have t
2
2n−t −1
ak Δ(αk·2t ) = σj ,
(4)
k=0
where j = 0, 1, . . . , 2n−t − 1 and (a0 , a1 , . . . , a2n−t −1 ) denotes the jth row (column) 2t −1 of Hn−t . Since we also have σj = ξ, ℓj2t +k !2 , for any fixed j there is a k0 , k=0 G 2n−t −1 ak Δ(αk·2t ). As Δ(α0 ) = 2n , 0 ≤ k0 ≤ 2t − 1, such that | ξ, ℓj2t +k0 !| ≥ k=0 by using Lemma 7, we have H I 2n−t −1 1I n−1 J n 2 + ak Δ(αk·2t ). − Nf ≤ 2 2 k=1
Now note that α0 , α2t , α2·2t , . . . , α(2n−t −1)2t form a (n−t)-dimensional linear subspace of Vn with {α2t , α2t+1 , . . . , α2n−1 } as its basis, and that the nonlinearity of a function is invariant under a nonsingular linear transformation on the input coordinates. Set r = n − t. By using a nonsingular linear transformation on the input coordinates, we have proved the following lemma: Lemma 18. For any integer r, 0 ≤ r ≤ n, let β1 , . . . , βr be r linearly independent vectors in Vn . Write γj = c1 β1 ⊕ · · · ⊕ cr βr , where j = 0, 1, . . . , 2r − 1 and (c1 , . . . , cr ) is the binary representation of integer j. Then H I r −1 2 I 1 n−1 Nf ≤ 2 − J2n + aj Δ(γj ) 2 j=1 holds for every row (column), denoted by (a0 , a1 , . . . , a2r −1 ), of Hr , where a0 = 1 due to the structure of a Sylvester–Hadamard matrix.
256
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
In practice, simpler forms than that in Lemma 18 would be preferred. This can be achieved by letting r = 1 in Lemma 18. This results in Nf ≤ 2n−1 −
1( n 2 ± Δ(β), 2
for any nonzero vector β ∈ Vn . Thus we have derived a simple formula for the upper bound on nonlinearity: Theorem 6. For any function f on Vn , the nonlinearity of f satisfies Nf ≤ 2n−1 − where Δmax = maxα∈Vn \{0} |Δ(α)|.
1( n 2 + Δmax , 2
6.2. Two Lower Bounds on Nonlinearity 6.2.1. The First Lower Bound Let ξ = (a0 , a1 , . . . , a2n −1 ) = b0 , b1 , . . . , b2n−1 −1 be the sequence of a function on Vn where each bj = (a2j , a2j+1 ) is called a basis. A basis, say bj , is called a (++)-basis if bj = ±(1, 1) and is called a (+−)-basis if bj = ±(1, −1). A fact is that any (1, −1)sequence of length 2n (n ≥ 2) is a concatenation of (++)-bases and (+−)-bases. In the following discussion, the number of (++)-bases in a sequence under consideration will be denoted by τ (++) and the number of (+−)-bases by τ (+−). Lemma 19. Let ξ be the sequence of a function f on Vn . Then τ (++) = 2n−2 + Δ(α1 )/4 and τ (+−) = 2n−2 − Δ(α1 )/4, where α1 = (0, . . . , 0, 1), the binary representation of integer 1. Proof. Write ξ = (a0 , a1 , a2 , a3 , . . . , a2n −2 , a2n −1 ). Thus ξ(α1 ) = (a1 , a0 , a3 , a2 , . . . , 2n−1 −1 a2n −1 , a2n −2 ) and Δ(α1 ) = ξ, ξ(α1 )! = j=0 (a2j a2j+1 + a2j+1 a2j ). Note that a2j a2j+1 + a2j+1 a2j
2 if (a2j a2j+1 ) is a (++)-basis, = −2 if (a2j a2j+1 ) is a (+−)-basis.
Thus Δ(α1 ) = 2(τ (++) − τ (+−)). On the other hand, 2(τ (++) + τ (+−)) = 2n . Hence τ (++) = 2n−2 + Δ(α1 )/4 and τ (+−) = 2n−2 − Δ(α1 )/4. Lemma 20. For any function f on Vn , the nonlinearity of f satisfies 1 Nf ≥ 2n−2 − |Δ(α1 )|. 4 Proof. Obviously, HW(f ) ≥ τ (+−). By using Lemma 19, HW(f ) ≥ 2n−2 −Δ(α1 )/4, where HW(f ) is the Hamming weight of f , i.e., the number of ones f assumes. Set gj (x) = f (x) ⊕ φj (x), where φj is the linear function on Vn , whose sequence is ℓi , j = 0, 1, . . . , 2n − 1.
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
257
Similarly to Δ(α) for f , we can write Δ(j) to denote the auto-correlation of gj . It is easy to verify that Δ
(j)
(α1 ) =
Δ(α1 ) if φj (α1 ) = 0, −Δ(α1 ) if φj (α1 ) = 1.
By the same reasoning for HW(f ), we have 2n−2 − Δ(α1 )/4 if φj (α1 ) = 0, HW(f ⊕ φj ) ≥ 2n−2 + Δ(α1 )/4 if φj (α1 ) = 1. Finally, note that d(f, φj ) = HW(f ⊕φj ). Hence we have Nf ≥ 2n−2 −|Δ(α1 )|/4. Now we introduce the first lower bound on nonlinearity: Theorem 7. For any function f on Vn , the nonlinearity of f satisfies 1 Nf ≥ 2n−2 − Δmin , 4 where Δmin = minα∈Vn \{0} |Δ(α)|. Proof. For any fixed s, 0 ≤ s ≤ 2n − 1, let A be a nonsingular matrix of order n, over GF(2), such that α1 A = αs . Define g(x) = f (xA). Set xA = u. Hence g(x) = f (u) where xA = u. Note that g(x) ⊕ g(x ⊕ α1 ) = f (xA) ⊕ f (xA ⊕ α1 A) = f (u) ⊕ f (u ⊕ αs ).
(5)
Similarly to Δ(α) defined for f , we can write Δ′ (α) as the auto-correlation of g. From (5), Δ′ (α1 ) = Δ(αs ). By using Lemma 20, Ng ≥ 2n−2 − |Δ′ (α1 )|/4. Since A is nonsingular, Ng = Nf . Hence Nf ≥ 2n−2 − |Δ(αs )|/4. As s is arbitrary, Nf ≥ 2n−2 − Δmin /4. Theorem 7 is tight. This can be seen from the following fact. Let f (x) = x1 φ(y) ⊕ ψ(y) be a function on Vn , where x = (x1 , . . . , xn ), y = (x3 , . . . , xn ), φ and ψ are nonzero linear functions on Vn−2 and φ = ψ. Note that f is quadratic. Using the truth table of f , we can verify that the nonlinearity of f is Nf = 2n−2 . Obviously, Δ(α2n−1 ) = 0, where α2n−1 = (1, 0, . . . , 0) is the binary representation of integer 2n−1 . This means that the equality in Theorem 7 holds for such a function f (y) = x1 φ(y) ⊕ ψ(y). 6.2.2. The Second Lower Bound By using a result in [1], the authors pointed out in [17] that if f , a function on Vn , satisfies the avalanche criterion with respect to all but a subset R of vectors in Vn , then the nonlinearity of f satisfies Nf ≥ 2n−1 − 2n/2−1 |R|1/2 .
(6)
258
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
More recently, a further improvement has been made in [18]: Nf ≥ 2n−1 − 2n−ρ/2−1 ,
(7)
where ρ is the maximum dimension of the linear sub-spaces in {0} ∪ Rc and Rc = Vn − R. (see Theorem 11 of [18]). A shortcoming with (6) and (7) is that when |R| is large, estimates provided by (6) or (7) are too far from the real value. For example, let g be a bent function on Vn (n must be even). Suppose n ≥ 4. Now we construct a function f on Vn : f (x) = g(x) if x = 0 and f (0) = 1⊕g(0). Since HW(g) is even, HW(f ) must be odd. Hence f does not satisfy the avalanche characteristics with respect to any vectors and hence |R| = 2n . In this case both (6) and (7) give the trivial inequality Nf ≥ 0. This problem is addressed in the rest of this section. Let f , a function on Vn , satisfy the avalanche criterion with respect to all but a subset R of vectors in Vn . For any integer t, 0 ≤ t ≤ n, set Ω = {α0 , α2t , α2·2t , . . . , α(2n−t −1)2t }. Recall α0 , α2t , α2·2t , . . . , α(2n−t −1)2t form a (n − t)-dimensional linear subspace of Vn , and {α2t , α2t+1 , . . . , α2n−1 } is a basis of this subspace. From (4), σj ≤ 2t (Δ(α0 ) + (|R ∩ Ω| − 1)Δmax ), 2t −1 2 where Δmax = maxα∈Vn \{0} |Δ(α)| and σj = k=0 ξ, ℓj2t +k ! , j = 0, 1, . . . , n−t 2 t −1. Hence ξ, ℓj2t +k ! ≤ 2 (Δ(α0 )+(|R∩Ω|−1)Δmax ), j = 0, 1, . . . , 2n−t −1, 2 k = 0, 1, . . . , 2t − 1. Note that Δ(α0 ) = 2n . By using Lemma 7, the nonlinearity of f satisfies Nf ≥ 2n−1 − 2t/2−1
( 2n + (|R ∩ Ω| − 1)Δmax .
Set r = n − t. By using a nonsingular linear transformation on the variables, we have the second lower bound: Theorem 8. Let f , a function on Vn , satisfy the avalanche criterion with respect to all but a subset R of vectors in Vn . Let W be any r-dimensional linear subspace of Vn , r = 0, 1, . . . , n. Then the nonlinearity of f satisfies Nf ≥ 2n−1 − 2(n−r)/2−1 where Δmax = maxα∈Vn \{0} |Δ(α)|.
(
2n + (|R ∩ W | − 1)Δmax ,
Since |Δ(α)| ≤ 2n for each α ∈ Vn , from Theorem 8, we have Corollary 1. Let f , a function on Vn , satisfy the avalanche criterion with respect to all but a subset R of vectors in Vn . Let W be any r-dimensional linear subspace of Vn , r = 0, 1, . . . , n. Then the nonlinearity of f satisfies Nf ≥ 2n−1 − 2n−r/2−1
(
|R ∩ W |.
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
Upper Bounds Lower Bounds
259
Table 1. Upper and Lower Bounds on Nonlinearity G 2n −1 2 Theorem 5: Nf ≤ 2n−1 − (1/2) 4 22n + j=1 Δ (αj ) √ n−1 n Theorem 6: Nf ≤ 2 − (1/2) 2 + Δmax Theorem 7: Nf ≥ 2n−2 − |Δmin |/4
Theorem 8: Nf ≥ 2n−1 − 2(n−r)/2−1
(
2n + (|R ∩ W | − 1)Δmax
Here Δ(α) = ξ(0), ξ(α) is the auto-correlation of f with a shift α, Δmax = maxα∈Vn \{0} |Δ(α)|, Δmin = minα∈Vn \{0} |Δ(α)|, R is the set of vectors where the avalanche criterion is not fulfilled by f , and W is any r-dimensional linear subspace of Vn , r = 0, 1, . . . , n.
Theorem 8 is more general and gives a better estimate of lower bound than all other known lower bounds. To see this, let W = Vn , i.e., r = n. Hence we have Nf ≥ ( 2n−1 − (1/2) 2n + (|R| − 1)Δmax . As Δmax ≤ 2n , this estimate is clearly better than (6). On the other hand, if R ∩ W = {α0 = 0} then Nf ≥ 2n−1 − 2n−r/2−1 , which is exactly (7). Table 1 summaries the main results obtained in this section, namely two upper and two lower bounds on the nonlinearity of cryptographic functions.
7. Polynomials, Nonlinearity, and the Number of Terms 7.1. Terms in a Polynomial Notation 4. (b1 , . . . , bn ) (a1 , . . . , an ) means that (b1 , . . . , bn ) is covered by (a1 , . . . , an ), namely if bj = 1 then aj = 1. In addition, (b1 , . . . , bn ) ≺ (a1 , . . . , an ) means that (b1 , . . . , bn ) is properly covered by (a1 , . . . , an ), namely (b1 , . . . , bn ) (a1 , . . . , an ) and (b1 , . . . , bn ) = (a1 , . . . , an ) Notation 5. Let W be a subspace of Vn . Denote the dimension of W by dim(W ). Notation 6. Let X be a set. The cardinal number of X, i.e., the number of elements in X, is denoted by #X. A proof for the following result is provided, as we feel that understanding the proof would be helpful in studying other issues that are more directly related to cryptography. Theorem 9. Let f be a function on Vn . Let α, β ∈ Vn , α = (1, . . . , 1, 0, . . . , 0), where only the first s components are one, and β = (0, . . . , 0, 1, . . . , 1, 0, . . . , 0) where only the (s + 1)th,. . . , the (s + t)th components are one. Then the number of terms of the ≤ i1 < · · · < it′ ≤ s + t, that appear in the form x1 · · · xs xi1 · · · xit′ where s + 1 3 algebraic normal form of f , is even if γα f (γ ⊕ β) = 0, and the number is odd if 3 f (γ ⊕ β) = 1. γα
Proof. Consider a term χ(x) = xj1 · · · xjs′ xi1 · · · xit′ in f , where x = (x1 , . . . , xn ), 1 ≤ j1 < · · · < js′ ≤ s and s + 1 ≤ i1 < · · · < it′ ≤ s + t. Denote the set of such terms there are an even number of vectors γ in by Γ1 if s′ < s, and by Γ2 if s′ = s. For s′ < s,3 ′ Vn such that γ α and χ(γ ⊕ β) = 1. Hence γα χ(γ ⊕ β) 3= 0. For s = s, there is only one vector in Vn , γ = α, such that χ(γ ⊕ β) = 1. Hence γα χ(γ ⊕ β) = 1. Now
260
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
consider a term ω(x) = xj1 · · · xjk in f , where x = (x1 , . . . , xn ), 1 ≤ j1 < · · · < jk , and jk > s+t. Denote the set of terms given in the form of ω(x) by Ω. Due to jk > s+t, and the structures of α 3 and β, we know 3 that ω(γ ⊕ β) = 0 for each γ α. We write 3 χ ⊕ χ ⊕ f3as f = ω∈Ω ω. Combing the above discussion, we have χ∈Γ1 2 3 χ∈Γ 3 χ(γ ⊕ β). The proof f (γ ⊕ β) = γα χ∈Γ2 3 is completed by noting that 3γα f (γ ⊕ β) = 0 implies that #Γ is even, while 2 γα f (γ ⊕ β) = 1 implies that γα #Γ2 is odd. Set β = 0 in Theorem 9 and reorder the variables, we obtain a result well-known to coding theorists (see p. 372 of [2]): = (a1 , . . . , an ) be a vector in Vn . Then Corollary 2. Let f be a function on Vn and α 3 the term xa1 1 · · · xann appears in f if and only if γα f (γ) = 1.
With the above two results, it is not hard to verify the correctness of the following lemma: Lemma 21. Let f and g be function on Vn . Then the following four statements are equivalent 3 (i) f (α) = 3 βα g(β) for every vector α ∈ Vn , (ii) g(α) = βα f (β) 3 for every vector α ∈ Vn , (iii) f (x1 , . . . , xn ) = 3 α∈Vn g(a1 , . . . , an )xa1 1 · · · xann where α = (a1 , . . . , an ), (iv) g(x1 , . . . , xn ) = α∈Vn f (a1 , . . . , an )xa1 1 · · · xann where α = (a1 , . . . , an ). 7.2. Maximal Odd Weighting Subspaces with Applications
The focus of this section is on maximal odd weighting subspace to be defined in the following. We show the usefulness of this simple concept by proving two interesting results. Definition 9. Let f be a function on Vn . A subspace U of Vn is called a maximal odd weighting subspace of f if the Hamming weight of fU is odd, while the Hamming weight of fU ′ is even for every subspace U ′ of Vn with U ′ ⊃ U . 7.2.1. A Lower Bound on Nonlinearity In this section we show how the dimension of a maximal odd weighting subspace of a function is connected to the lower bound on the nonlinearity of the function. Definition 10. Let f be a function on Vn , xj1 · · · xjt and xi1 · · · xis be two terms in the algebraic normal form of function f . xj1 · · · xjt is said to be covered by xi1 · · · xis if {j1 , . . . , jt } is a subset of {i1 , . . . is }, and xj1 · · · xjt is said to be properly covered by xi1 · · · xis if {j1 , . . . , jt } is a proper subset of {i1 , . . . is }. Theorem 10. Let f be a function on Vn and U be a maximal odd weighting subspace of f . If dim(U ) = s then the Hamming weight of f is at least 2n−s . Proof. Let U be an s-dimensional subspace of Vn . Then Vn is the union of 2n−s disjoint cosets of U :
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
261
Vn = Π0 ∪ Π1 ∪ · · · ∪ Π2n−s −1 ,
(8)
where (i) Π0 = U , (ii) for any α, β ∈ Vn , α, β belong to the same class, say Πj , if and only if α ⊕ β ∈ Π0 = U . From (i) and (ii), it follows that (iii) Πj ∩ Πi = ∅ for j = i, where ∅ denotes the empty set.
Note that each Πj can be expressed as Πj = βj ⊕ U for a βj ∈ Vn , where βj ⊕ U = {βj ⊕ α | α ∈ U }. And let Nj = #{α ∈ Πj | f (α) = 1}, where Πj is defined in (8), j = 0, 1, . . . , 2s−1 . Since Π0 = U , N0 is odd. Note that Π0 ∪Πj is a (s+1)-dimensional subspace of Vn , j = 1, . . . , 2n−s − 1. Since Π0 = U is a maximal odd weighting subspace of f , the Hamming weight of the restriction of f to Π0 ∪ Πj is even. In other words, N0 + Nj is even. This proves that each Nj is odd, j = 1, . . . , 2n−s − 1. Hence N0 +N1 +· · ·+N2n−s −1 ≥ 2n−s , namely, the Hamming weight of f is at least 2n−s . Theorem 11. Let f be a function on Vn and U be a maximal odd weighting subspace of f . Let dim(U ) = s (s ≥ 2). Then the nonlinearity Nf of f satisfies Nf ≥ 2n−s .
Proof. Let φ be any affine function on Vn . Let W be any subspace of dimension at least two. Note that the Hamming weight of φW is even. Hence the Hamming weight of (f ⊕ φ)W is odd if and only if the Hamming weight of fW is odd. This proves that U is also a maximal odd weighting subspace of f ⊕ φ. According to Theorem 10, the Hamming weight of f ⊕ φ is at least 2n−s . As the Hamming weight of f ⊕ φ determines d(f, φ), the theorem is proved. Theorem 12. Let t ≥ 2. If xj1 · · · xjt is a term in a function f on Vn and it is not properly covered (see Definition 10) by any other term in the same function, then the nonlinearity Nf of f satisfies Nf ≥ 2n−t . Proof. Write α = (a1 , . . . , an ) where aj = 1 for j ∈ {j1 , . . . , jt } and aj = 0 for subspace of j ∈ / {j1 , . . . , jt }. Set U = {γ | γ α}. Obviously U is a t-dimensional 3 is a term in f on V , by using Corollary 2, f (γ) = 1 or · · · x . Since x V n j n j t 1 γα 3 γ∈U f (γ) = 1, i.e., the Hamming weight of fU is odd. We now prove that U is a maximal odd weighting subspace of f . Assume that U is not a maximal odd weighting subspace of f . Then there is an s-dimensional subspace of Vn , say W , such 3 that U is a proper subset of W , i.e., s > t and the Hamming weight of fW is odd ( γ∈W f (γ) = 1). Since U is a proper subspace of W , we can express W as a union of 2s−t disjoint cosets of U : W = U ∪ (β1 ⊕ U ) ∪ · · · ∪ (β2s−t −1 ⊕ U ) where each β α , and α ⊕ α = (1, . . . , 1). Since both the Hamming weights of fU and fW are odd, there s−t − 1, such that the Hamming weight of fβk ⊕U is a coset, say 3βk ⊕ U , 1 ≤ k ≤ 2 is even, i.e., γα f (βk ⊕ γ) = 0. Applying Theorem 9 to this formula, there are an even number of terms covering xj1 · · · xjt . Since the term xj1 · · · xjt itself appears in f , there is another term properly covering xj1 · · · xjt . This contradicts the condition in the theorem, namely the term xj1 · · · xjt is not properly covered by any other term in f . The contradiction indicates that U is a maximal odd weighting subspace of f . By noting Theorem 11, the proof is completed. We note that the lower bound in Theorem 11 is tight:
262
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
Corollary 3. For any n and any s with 2 ≤ s ≤ n, there is a function on Vn , say f , together with an s-dimensional subspace, say U , such that U is a maximal odd weighting subspace of f and the nonlinearity Nf of f satisfies Nf = 2n−s . Proof. Let g be a function on Vs , defined as g(β) = 1 if and only if β = 0. Set f (z, y) = g(y), a function on Vn , where z ∈ Vn−s and y ∈ Vs . Since the Hamming weight of f is 2n−s (s ≥ 2), d(f, h) ≥ 2n−s where h is any affine function on Vn and the equality holds if h is the zero function on Vn . Hence the nonlinearity Nf of f satisfies Nf = 2n−s . On the other hand, set U = {(0, . . . , 0, b1 , . . . , bs ) | bj ∈ GF(2)} where the number of zeros is n − s. We now verify that the s-dimensional subspace U is a maximal odd weighting subspace of f . Let W be a k-dimensional subspace of Vn such that U is a prefer subspace of W . We can express W as a union of 2k−s disjoint cosets of U : W = U ∪ (β1 ⊕ U ) ∪ · · · ∪ (β2k−s −1 ⊕ U ). Since U is a subspace, we can choose each βj as a vector of the form (c1 , . . . , cn−s , 0, . . . , 0). From the construction of f , the Hamming weight of fβj ⊕U is odd (one). Hence the Hamming weight of fW is even. This proves that U is a maximal odd weighting subspace of f . 7.2.2. A Lower Bound on the Number of Terms In the design of a cipher, a designer generally prefers a function that has a large number of terms in its algebraic normal form to one that has few, although the former may require more circuitry than the latter in hardware implementation. A good example is S-boxes employed in DES all of which appear to contain a large number of terms. In what follows we show that maximal odd weighting subspaces can be used in bounding from below the number of terms of a function. Theorem 13. Let f be a function on Vn such that f (α) = 1 for a vector α ∈ Vn , and f (β) = 0 for every vector β with α ≺ β, where ≺ is defined as in Notation 4. Then f has at least 2n−t terms, where t denotes the Hamming weight of α. Proof. First we note that Theorem 10 can be equivalently stated as follows: Let f be a function on Vn and g be the Möbius transform of f defined in (1). Let g(α) = 1 for a vector α ∈ Vn , and g(β) = 0 for every vector β with α ≺ β, where ≺ is defined in Notation 4. Then the Hamming weight of f is at least 2n−t . The equivalence between (iii) and (iv) in Lemma 21 allows us to interchange f and g in the above statement. Thus we have: Let f be a function on Vn and g be defined in (1). Let f (α) = 1 for a vector α ∈ Vn , and f (β) = 0 for every vector β with α ≺ β. Then the Hamming weight of g is at least 2n−t . This completes the proof. Applying Theorem 13, it is not hard to verify Corollary 4. Let f be a function on Vn such that f (α) = 0 for a vector α ∈ Vn , and f (β) = 1 for every vector β with α ≺ β, where ≺ is defined as in Notation 4. Then f has at least (i) 2n−s − 1 terms if f (0) = 0, (ii) 2n−s + 1 terms if f (0) = 1, where s denotes the Hamming weight of α.
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
263
The lower bounds on the number of terms given by Theorem 13 and Corollary 4 are tight, due to Corollary 3 and Lemma 21. 7.3. Restrictions of a Function Restricting a function is another approach that can be used in studying the properties of the function. In this section we investigate restriction of a function to a coset which is a set of vectors induced by a subspace. Lemma 22. Let f be a function on Vn (n ≥ 2). If f satisfies the property that for every (n − 1)-dimensional subspace, say W , the Hamming weight of fW is even, where fW is defined in Definition 2, then the Hamming weight of f is also even. 7.3.1. Nonlinearity of the Restriction of a Function to a Coset Theorem 14. Let f be a function on Vn , W be a p-dimensional subspace of Vn and Π be a coset of W . Then max
j=0,1,...,2p −1
| γ, ej !| ≤
max
j=0,1,...,2n −1
| ξ, ℓj !|,
where γ is the sequence of fΠ , ξ is the sequence of f , ej is the jth row of the 2p th order Sylvester–Hadamard matrix Hp , ℓi is the ith row of the 2n th order Sylvester–Hadamard matrix Hn , and ξi is the sequence of f . Proof. We first prove the theorem for the case of Π = W . Set q = n − p. We now prove the theorem by induction on q. When q = 0, the theorem is obviously true. Now assume that the theorem is true for 0 ≤ q ≤ k − 1. Consider the case when q = k. Let U be an (n − 1)-dimensional subspace of Vn such that W is a subspace of U . Let li denote the ith row of the 2n−1 th order Sylvester–Hadamard matrix Hn−1 . Also let η to denote the sequence of fU . Now applying the same assumption to W and U , we have max
j=0,1,...,2p −1
| γ, ej !| ≤
max
j=0,1,...,2n−1 −1
| η, lj !|.
Again, by using the assumption, max
j=0,1,...,2n−1 −1
| η, lj !| ≤
max
j=0,1,...,2n −1
| ξ, ℓj !|.
The proof for the particular case of Π = W is done. To complete the proof for the theorem, we note that the above discussions also hold for a function g satisfying f (x) = g(x ⊕ α), where α is any fixed vector in Vn . Applying the above theorem, we obtain the following two interesting results: Corollary 5. Let f be a function on Vn , W be a p-dimensional subspace of Vn , Π be a coset of W , and fΠ be the restriction of f to Π. Then the nonlinearity of f and the nonlinearity of fΠ are related by Nf − NfΠ ≤ 2n−1 − 2p−1 . Corollary 6. Let f be a function on Vn , W be a p-dimensional subspace of Vn , and Π be a coset of W . If the restriction of f to Π, fΠ , is an affine function, then the nonlinearity Nf of f satisfies Nf ≤ 2n−1 − 2p−1 .
264
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
7.3.2. Relating Nonlinearity to Terms in Algebraic Normal Form The following result is an application of Corollary 6. Theorem 15. Let f be a function on Vn and J be a subset of {1, . . . , n} such that f does not contain any term xj1 · · · xjt where j1 , . . . , jt ∈ J. Then the nonlinearity Nf of f satisfies Nf ≤ 2n−1 − 2s−1 where s = #J. Proof. Let U = {(a1 , . . . , an ) | aj = 0 3 if j ∈ / J}. Note that U is an s-dimensional a1 an subspace of Vn . Write f (x1 , . . . , xn ) = α∈Vn g(a1 , . . . , an )x1 · · · xn where α = of f and J, we have (a1 , . . . , an ) and g is also a function on Vn . From the property 3 g(α) = 0 for all α ∈ U . By using Lemma 21, f (α) = βα g(β). Hence f (α) = 0 for all α ∈ U . That is, fU = 0. By using Corollary 6, we have proved that Nf ≤ 2n−1 − 2s−1 . The following statement can be viewed as an improvement on Theorem 15. Theorem 16. Let f be a function on Vn and J be a subset of {1, . . . , n} such that f does not contain any term xj1 · · · xjt where t > 1 and j1 , . . . , jt ∈ J. Then the nonlinearity Nf of f satisfies Nf ≤ 2n−1 − 2s−1 where s = #J. Proof. Write f = f ∗ ⊕ ψ where ψ is an affine function and f ∗ has no affine term. Note that Nf ∗ = Nf . By Theorem 15, we have Nf ∗ ≤ 2n−1 − 2s−1 . The next two statements can be obtained from Theorems 15 and 16 respectively, by setting J = {1, . . . , n} − P . • Statement 1: Let f be a function on Vn and P be a subset of {1, . . . , n} such that for any term xj1 · · · xjt in f , {j1 , . . . , jt } ∩ P = ∅ holds, where ∅ denotes the empty set. Then the nonlinearity Nf of f satisfies Nf ≤ 2n−1 − 2n−p−1 where p = #P . • Statement 2: Let f be a function on Vn and P be a subset of {1, . . . , n} such that for any term xj1 · · · xjt with t > 1 in f , {j1 , . . . , jt } ∩ P = ∅ holds, where ∅ denotes the empty set. Then the nonlinearity Nf of f satisfies Nf ≤ 2n−1 − 2n−p−1 where p = #P . Note that bent functions on Vn have nonlinearity 2n−1 − 2n/2−1 . By using Theorem 16 we conclude Corollary 7. Let f be a function on Vn satisfying Nf ≥ 2n−1 − 2s−1 . Then f contains at least n − s non-affine terms. In particular, if f is bent, then it contains at least n/2 non-affine terms. Proof. Let f contain exactly q non-affine terms. Suppose that q < n − s. From each non-affine term, we choose arbitrarily a single variable and collect those single variables together to form a set P . Obviously P satisfies the condition in Statement 2 and #P ≤ q. Hence we have Nf ≤ 2n−1 − 2n−#P −1 ≤ 2n−1 − 2n−q−1 < 2n−1 − 2s−1 . This contradicts the condition that Nf ≥ 2n−1 − 2s−1 .
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
265
7.4. Hypergraph of a Boolean Function 7.4.1. König Property Let X = {x1 , . . . , xn } be a finite set. Set I = {E1 , . . . , Em }, where each Ej is a subset of X. The hypergraph, denoted by Γ, is the pair Γ = (X, I). Each xj is called a vertex, each Ej is called an edge, n and m are called the order and the size of Γ respectively. If #Ej = 1 for a j then the vertex in Ej is called an isolated vertex. A sequence x1 E1 x2 E2 · · · xp Ep x1 is called a cycle of length p, where p > 1, all the Ej and xj , 1 ≤ j ≤ p, are distinct, and xj , xj+1 ∈ Ej , j = 1, . . . , p. A subset of X, say S, is a stable set of Γ, if Ej S, j = 1, . . . , m. The maximum cardinality of a stable set is called the stability number of Γ, denoted by κ(Γ). A subset of X, say Y , is a transversal of Γ, if Y ∩ Ej = ∅, j = 1, . . . , m. The minimum cardinality of a transversal is called the transversal number of Γ, denoted by τ (Γ). A subset of I, say B = {Ej1 , . . . , Ejq }, is a matching of Γ, if Ejt ∩ Ejs = ∅, for t = s. The maximum number of edges in a matching is called the matching number of Γ, denoted by ν(Γ). The following equality and inequality can be found on p. 405 of [19]: τ (Γ) + κ(Γ) = n,
ν(Γ) ≤ τ (Γ).
(9)
Γ is said to satisfy the König Property if ν(Γ) = τ (Γ). The following lemma can be deduced from Theorem 3.5 of [19], established by Berge and Las Vergnas in 1970. Lemma 23. If a hypergraph Γ has no cycle with odd length, then Γ satisfies the König Property. Definition 11. Let f be a function on Vn . If f (0) = 0, i.e., the constant term of f is zero, we can define the hypergraph of f , denoted by Γ(f ), by the following rule: Let X = {x1 , . . . , xn }. A subset of X, Ej = {xj1 , . . . , xjt } is referred to as an edge of Γ(f ) if and only if xj1 · · · xjt is a term of f . If f (0) = 1, i.e., the constant term of f is one, we do the same for 1 ⊕ f and then obtain a hypergraph that is called the the hypergraph of f denoted by Γ(f ). Denote the stability number of Γ(f ) by κ(f ), transversal number of Γ(f ) by τ (f ) and matching number of Γ(f ) by ν(f ). Without loss of generality, in this section, we only study Γ(f ) with f (0) = 0. 7.4.2. Applications to Nonlinearity Corollary 8. Let f be a function on Vn . Write f = f ∗ ⊕ ψ, where ψ is an affine function and f ∗ has no affine term. Let κ(f ∗ ) denote the stability number of Γ(f ∗ ). Then Nf ≤ ∗ 2n−1 − 2κ(f )−1 or equivalently κ(f ∗ ) ≤ 1 + log2 (2n−1 − Nf ). In particular, if f is a bent function, then κ(f ∗ ) ≤ n/2 and τ (f ∗ ) ≥ n/2. To prove the corollary, we note that Nf ∗ = Nf . Then applying Theorem 16, we ∗ have Nf ∗ ≤ 2n−1 − 2κ(f )−1 . Next we introduce a key result of this section. Theorem 17. Let f be a bent function on Vn . Then (the algebraic normal form of) f contains precisely n/2 disjoint quadratic terms if Γ(f ) contains no cycle of odd length. Equivalently, Γ(f ) must contain a cycle of odd length if f contains less than n/2 disjoint quadratic terms.
266
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
Proof. Write f = f ∗ ⊕ψ where ψ is an affine function and f ∗ has no affine term. If Γ(f ) contains no cycle of odd length, then Γ(f ∗ ) too contains no cycle of odd length. By using Lemma 23, we have τ (f ∗ ) = ν(f ∗ ). From Corollary 8, ν(f ∗ ) ≥ n/2. Hence there exists a matching B of Γ(f ∗ ). Without loss of generality, let B = {E1 , . . . , Eν }, where each Ej is an edge of Γ(f ∗ ), ν = ν(f ∗ ) = τ (f ∗ ) ≥ n/2 and Ej ∩ Ei = ∅, for j = i. Note that #E1 + · · · + #Eν = #(E1 ∪ · · · ∪ Eν ) ≤ n. On the other hand, since Γ(f ∗ ) has no isolated vertex, each Ej has at least two elements. Hence #E1 + · · · + #Eν ≥ 2ν ≥ n. From the two inequalities, we have #E1 + · · · + #Eν = n. Note that ν ≥ n/2 holds if and only if ν = n/2 and #Ej = 2, j = 1, . . . , ν = n/2. This proves that f ∗ contains n/2 disjoint quadratic terms, and so does f . Theorem 18. Let f be a function on Vn , whose nonlinearity Nf satisfies Nf ≥ 2n−1 − 22n/3−t−1 , where t is real with 1 ≤ t ≤ n/6. Then f contains at least 3t disjoint quadratic terms if Γ(f ) contains no cycle of odd length. Equivalently, Γ(f ) contains at least one cycle of odd length if f contains less than 3t disjoint quadratic terms. Proof. Write f = f ∗ ⊕ ψ where ψ is an affine function and f ∗ has no affine term. If Γ(f ) contains no cycle of odd length, then Γ(f ∗ ) too contains no cycle of odd length. Recall that Nf = Nf ∗ . By using Lemma 23, τ (f ∗ ) = ν(f ∗ ). From Corollary 8, ν(f ∗ ) ≥ n − (2n/3 − t) = n/3 + t. Hence there exists a matching B of Γ(f ∗ ). Again, without loss of generality, we can assume that B = {E1 , . . . , Eν }, where each Ej is an edge of Γ(f ∗ ), ν = ν(f ∗ ) = τ (f ∗ ) ≥ n/3 + t and Ej ∩ Ei = ∅, for j = i. Note that #E1 + · · · + #Eν = #(E1 ∪ · · · ∪ Eν ) ≤ n.
(10)
Let there be k sets Ej , where Ej ⊆ B with #Ej = 2. Then #(E1 + · · · + Eν ) ≥ 2k + 3(ν − k) ≥ 2k + 3(n/3 + t − k).
(11)
Comparing (10) and (11), we have k ≥ 3t. Corollary 9. Let f be a function on Vn , whose nonlinearity Nf satisfies Nf > 2n−1 − 22n/3−1 . Then f contains at least one quadratic term if Γ(f ) contains no cycle of odd length. That is, Γ(f ) must contain a cycle of odd length if f contains no quadratic term. Proof. Since Nf > 2n−1 − 22n/3−1 , there exists a real number t, 0 < t ≤ n/6, such that Nf ≥ 2n−1 − 22n/3−t−1 > 2n−1 − 22n/3−1 . By using Theorem 18, the proof is completed. Theorems 17, 18 and Corollary 9 show that the existence of a cycle of odd length in Γ or of quadratic terms in f plays an important role in highly nonlinear functions. Γ(f ) is also useful in algebraic attacks [20].
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
267
8. Plateaued Functions Now we introduce a new class of functions called plateaued functions [21,22]. Here is the definition. Definition 12. Let f be a function on Vn and ξ denote the sequence of f . If there exists an even number r, 0 ≤ r ≤ n, such that #I = 2r and each ξ, ℓj !2 takes the value of 22n−r or 0 only, where ℓj denotes the jth row of Hn , j = 0, 1, . . . , 2n − 1, then f is called a rth-order plateaued function on Vn . f is also simply called a plateaued function on Vn if we ignore the particular order r. Due to Parseval’s equation (Lemma 4), the condition #I = 2r can be obtained from the condition “each ξ, ℓj !2 takes the value of 22n−r or 0 only, where ℓj denotes the jth row of Hn , j = 0, 1, . . . , 2n − 1”. For the sake of convenience, however, we have mentioned both conditions in Definition 12. The following result can be obtained immediately from Definition 12. Proposition 3. Let f be a function on Vn . Then we have (i) if f is a rth-order plateaued function then r must be even, (ii) f is an nth-order plateaued function if and only if f is bent, (iii) f is a 0th-order plateaued function if and only if f is affine. The following is a consequence of Theorem 3 of [15]. Proposition 4. Every partially-bent function is a plateaued function. An interesting question naturally arises from Proposition 4: is a plateaued function also partially-bent? In the coming sections we characterize plateaued functions and disprove the converse of the proposition. 8.1. Characterizations of Plateaued Functions First we introduce Hölder’s Inequality [23]. It states that for real numbers aj ≥ 0, bj ≥ 0, j = 1, . . . , k, p and q with p > 1 and 1/p + 1/q = 1, the following is true: ⎛ ⎝
k j=1
⎞1/p ⎛
apj ⎠
⎝
k j=1
⎞1/q
bqj ⎠
≥
k
aj bj ,
j=1
where the equality holds if and only if there exists a constant ν ≥ 0 such that aj = νbj for each j = 1, . . . , k. We are particularly interested in the case when p = q = 2 in Hölder’s Inequality. In this case we have H⎛ ⎞ ⎞⎛ I k k k I I (12) b2j ⎠, a2j ⎠ ⎝ aj bj ≤ J⎝ j=1
j=1
j=1
where the equality holds if and only if there exists a constant ν ≥ 0 such that aj = νbj for each j = 1, . . . , k.
268
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
Notation 7. Let f be a function on Vn and ξ denote the sequence of f . Let χ denote the real valued (0, 1)-sequence defined as χ = (c0 , c1 , . . . , c2n −1 ), where 1 if j ∈ I, cj = 0 otherwise and αj ∈ Vn , that is the binary representation of integer j. Write (13)
χHn = (s0 , s1 , . . . , s2n −1 ), where each sj is an integer. We note that ⎡
⎤
ξ, ℓ0 !2 ξ, ℓ1 !2 .. .
⎢ ⎢ χ⎢ ⎣
ξ, ℓ2n −1 !2
n −1 ⎥ 2 ⎥ ξ, ℓj !2 = 22n , ⎥= ⎦ j=0
where the second equality holds thanks to Parseval’s equation (Lemma 4). By using Lemma 3, we have ⎡ ⎤ Δ(α0 ) ⎢ Δ(α1 ) ⎥ ⎢ ⎥ χHn ⎢ ⎥ = 22n . .. ⎣ ⎦ . Δ(α2n −1 )
Noticing Δ(α0 ) = 2n , we obtain s0 2n +
2n −1
Δ(αj ) = 0
j=1
sj Δ(αj ) = 22n . Since
if αj ∈ / R,
(14)
we have s0 2n + αj ∈R,j>0 sj Δ(αj ) = 22n . As s0 = #I, where # denotes the cardinal number of a set, we have αj ∈R,j>0 sj Δ(αj ) = 2n (2n − #I). Note that 2n (2n − #I) =
αj ∈R,j>0
sj Δ(αj ) ≤
αj ∈R,j>0
|sj Δ(αj )| ≤ sM ΔM (#R − 1). (15)
Hence the following inequality holds: sM ΔM (#R − 1) ≥ 2n (2n − #I).
(16)
From (13), we obtain n
#I · 2 =
n 2 −1
j=0
s2j
or
n
#I(2 − #I) =
n 2 −1
s2j .
(17)
j=1
Now we prove the first inequality that helps us understand properties of plateaued functions.
269
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
Theorem 19. Let f be a function on Vn and ξ denote the sequence of f . Then n 2 −1
j=0
Δ2 (αj ) ≥
23n #I
where the equality holds if and only if f is a plateaued function. Proof. By using (15), (12) and (17), we obtain
22n
H⎛ ⎞⎛ ⎞ I I I |sj Δ(αj )| ≤ J⎝ sj Δ(αj ) ≤ ≤ Δ2 (αj )⎠ s2j ⎠ ⎝ αj ∈R
αj ∈R
αj ∈R
αj ∈R
H⎛ ⎞⎛ ⎞ H I n I n −1 n −1 −1 2 2 I 2 I I⎝ 2 2 n J ⎠ ⎝ ⎠ sj Δ (αj ) ≤ #I2 Δ2 (αj ). ≤J j=0
Hence 23n /#I ≤
j=0
(18)
j=0
2n −1
Δ2 (αj ). We have proved the inequality in the theorem. 2n −1 Assume that the equality in the theorem holds i.e., j=0 Δ2 (αj ) = 23n /#I. This implies that all the equalities in (18) hold. Hence 22n =
j=0
sj Δ(αj ) =
αj ∈R
αj ∈R
H⎛ ⎞⎛ ⎞ I I I⎝ Δ2 (αj )⎠ s2j ⎠ ⎝ |sj Δ(αj )| = J αj ∈R
αj ∈R
H⎛ ⎞⎛ ⎞ H I n I n −1 n −1 2 −1 2 I 2 I I⎝ 2 n 2 J ⎠ ⎝ ⎠ Δ2 (αj ). Δ (αj ) = #I2 sj =J
(19)
j=0
j=0
j=0
Applying the property of Hölder’s Inequality to (19), we conclude that |Δ(αj )| = ν|sj |,
(20)
αj ∈ R,
where ν > 0 is a constant. Applying (20) and (17) to (19), we have 22n =
αj ∈R
H I n −1 2 I n 2 J |sj Δ(αj )| = #I2 ν s2j = ν#I2n .
(21)
j=0
From (19), we have αj ∈R sj Δ(αj ) = αj ∈R |sj Δ(αj )|. Hence (20) can be expressed more accurately as follows Δ(αj ) = νsj ,
(22)
αj ∈ R,
where ν > 0 is a constant. From (19), it is easy to see that Hence
2 αj ∈R sj
=
2n −1 j=0
s2j .
270
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
sj = 0 if αj ∈ / R.
(23)
Combining (22), (23) and (14), we have ν(s0 , s1 , . . . , s2n −1 ) = (Δ(α0 ), Δ(α1 ), . . . , Δ(α2n −1 )).
(24)
Comparing (24) and (13), we obtain νχHn = (Δ(α0 ), Δ(α1 ), . . . , Δ(α2n −1 )).
(25)
Further comparing (25) and the equation in Lemma 3, we obtain 2n νχ = ( ξ, ℓ0 !2 , . . . , ξ, ℓ2n −1 !2 ).
(26)
Note that χ is a real valued (0, 1)-sequence, containing #I ones. By using Parseval’s equation (Lemma 4), we obtain 2n ν(#I) = 22n . Hence ν(#I) = 2n , and there exists an integer r with 0 ≤ r ≤ n such that #I = 2r and ν = 2n−r . From (26) it is easy to see that ξ, ℓj !2 = 22n−r or 0. Hence r must be even. This proves that f is a plateaued function. Conversely assume that f is a plateaued function. Then there exists an even number r, 0 ≤ r ≤ n, such that #I = 2r and ξ, ℓj !2 = 22n−r or 0, Due to Lemma 3, 2n −1 2n −1 we have j=0 Δ2 (αj ) = 2−n j=0 ξ, ℓj !4 = 2−n · 2r · 24n−2r = 23n−r . Hence we 2n −1 have proved j=0 Δ2 (αj ) = 23n /#I. Lemma 24. Let f be a function on Vn and ξ √ denote the sequence of f . Then the nonlinearity Nf of f satisfies Nf ≤ 2n−1 − 2n−1 / #I, where the equality holds if and only if f is a plateaued function.
Proof. Set pM = maxj=0,1,...,2n −1 | ξ, ℓj !|, where ℓj is the jth row of Hn , 0 ≤ j ≤ 2n 2 2n −1. Using Parseval’s √ equation (Lemma 4), we obtain pM #I ≥ 2 . Due to Lemma 7, n−1 n−1 −2 / #I. Assume that f is a plateaued function. Then there exists an Nf ≤ 2 even number r, 0 ≤ r ≤ n, such that #I = 2r and each ξ, ℓj !2 takes either the value of pM = 22n−r or 0 only, where ℓj denotes the jth row of Hn , j = 0, 1, . . . , 2n − 1. Hence √ 2n−r/2 . By using Lemma 7, we have Nf = 2√n−1 − 2n−r/2−1 = 2n−1 − 2n−1 / #I. n−1 − 2n−1 / #I. From Lemma 7, we have also Nf = Conversely, assume that N√ f =2 √ n n−1 − pM /2. Hence pM #I = 2 . Since both pM and #I are integers and powers 2 r ≤ n. Hence pM = 2n−r/2 . of two, we can let #I = 2r , where r is an integer with 0 ≤ Obviously r is even. From Parseval’s equation (Lemma 4), j∈I ξ, ℓj !2 = 22n , and the fact that p2M #I = 22n , we conclude that ξ, ℓj !2 = 22n−r for all j ∈ I. This proves that f is a plateaued function. From the proof of Lemma 24, we can see that Lemma 24 can be stated in a different way as follows. Lemma 25. Let f be a function f on Vn and ξ denote the sequence of f . Set pM = max√j=0,1,...,2n −1 | ξ, ℓj !|, where ℓj is the jth row of Hn , 0 ≤ j ≤ 2n − 1. Then pM #I ≥ 2n where the equality holds if and only if f is a plateaued function. Summarizing Theorem 19, Lemmas 24 and 25, we conclude
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
271
Theorem 20. Let f be a function on Vn and ξ denote the sequence of f . Set pM = maxj=0,1,...,2n −1 | ξ, ℓj !|, where ℓj is the jth row of Hn , 0 ≤ j ≤ 2n − 1. Then the following statements are equivalent: (i) f is a plateaued function on Vn , (ii) there exists an even number r, 0 ≤ r ≤ 2n , such that #I = 2r and each ξ, ℓj !2 takes the value of 22n−r or 0 only, where ℓj denotes the jth row of Hn , j = 0, 1, . . . , 2n − 1, 2n −1 (iii) j=0 Δ2 (αj ) = 23n /#I, (iv) the nonlinearity of f , Nf , satisfies Nf = 2n−1 − G n √ √ 2 −1 2 2n−1 / #I, (v) pM #I = 2n , (vi) Nf = 2n−1 − 2−n/2−1 j=0 Δ (αj ).
Proof. Due to Definition 12, Theorem 19, Lemmas 24 and 25, (i), (ii), (iii), (iv), and (v) hold. (vi) follows from (iii) and (iv). We now proceed to prove the second inequality that relates Δ(αj ) to nonlinearity.
Theorem 21. Let f be a function on Vn and ξ denote the sequence of f . Then the nonlinearity Nf of f satisfies H I2n −1 I n−1 −n/2−1 J Nf ≤ 2 −2 Δ2 (αj ), j=0
where the equality holds if and only if f is a plateaued function on Vn . Proof. Set pM = maxj=0,1,...,2n −1 | ξ, ℓj !|. Multiplying the equality in Lemma 3 by 2n −1 2n −1 2n −1 4 2 2 itself, we have 2n j=0 Δ2 (αj ) = j=0 ξ, ℓj ! ≤ pM j=0 ξ, ℓj ! . Applying 2n −1 2 Parseval’s equation (Lemma 4) to the above equality, we have j=0 Δ (αj ) ≤ 2n p2M . G n 2 −1 2 Hence pM ≥ 2−n/2 j=0 Δ (αj ). By using Lemma 7, we have proved the inequalG n 2 −1 2 ity Nf ≤ 2n−1 − 2−n/2−1 j=0 Δ (αj ). The rest part of the theorem can be proved by using Theorem 20. Theorem 19, Lemmas 24 and 25 and Theorem 20 represent characterizations of plateaued functions. To close this section, us note that since Δ(α0 ) = 2n and #I ≤ 2n , we G let √ n −1 2 n−1 2 have 2n−1 − 2−n/2−1 − 2n/2−1 and 2n−1 − 2n−1 / #I ≤ j=0 Δ (αj ) ≤ 2 G n 2 −1 2 2n−1 − 2n/2−1 . Hence both inequalities Nf ≤ 2n−1 − 2−n/2−1 j=0 Δ (αj ) and √ n−1 n−1 Nf ≤ 2 −2 / #I are improvements on a more commonly used inequality Nf ≤ 2n−1 − 2n/2−1 . 8.2. Other Cryptographic Properties of Plateaued Functions By using Lemma 7, we conclude Proposition 5. Let f be a rth-order plateaued function on Vn . Then the nonlinearity Nf of f satisfies Nf = 2n−1 − 2n−r/2−1 . The following result is the same as Theorem 18 of [24].
272
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
Lemma 26. Let f be a function on Vn (n ≥ 2), ξ be the sequence of f , and p is an integer, 2 ≤ p ≤ n. If ξ, ℓj ! ≡ 0 (mod 2n−p+2 ), where ℓj is the jth row of Hn , j = 0, 1, . . . , 2n − 1, then the algebraic degree of f is at most p − 1. Using Lemma 26, we obtain Proposition 6. Let f be a rth-order plateaued function on Vn . Then the algebraic degree of f , denoted by deg(f ), satisfies deg(f ) ≤ r/2 + 1. We note that the upper bound on algebraic degree in Proposition 6 is tight for r < n. For the case of r = n, any nth-order plateaued function is a bent function on Vn . [14] gives a better upper bound on the algebraic degree of a bent function on Vn . That bound is n/2. The following property of plateaued functions can be verified by noting their definition. Proposition 7. Let f be a rth-order plateaued function on Vn , B be any nonsingular n × n matrix over GF(2) and α be any vector in Vn . Then f (xB ⊕ α) is also a rth-order plateaued function on Vn . Theorem 22. Let f be a rth-order plateaued function on Vn . Then the linearity of f , denoted by q, satisfies q ≤ n − r, where the equality holds if and only if f is partiallybent. Proof. There exists a nonsingular n×n matrix B over GF(2) such that f (xB) = g(y)⊕ h(z), where x = (y, z), y ∈ Vp , z ∈ Vq , p + q = n, g is a function on Vp and g does not have nonzero linear structures, h is a linear function on Vq . Hence q is equal to the linearity of f . Set f ∗ (x) = f (xB). Let ξ, η and ζ denote the sequences of f ∗ , g and h respectively. Then ξ = η × ζ, where × denotes the Kronecker product, defined in Notation 1. From the structure of Hn , each row of Hn , L, can be expressed as L = ℓ × e, where ℓ is a row of Hp and e is a row of Hq . Then we have ξ, L! = η, ℓ! ζ, e!. Since h is linear, ζ is a row of Hq . Replace e by ζ, we have ξ, L′ ! = η, ℓ! ζ, ζ! = 2q η, ℓ! where L′ = ℓ × ζ is still a row of Hn . Note that f ∗ is also a rth-order plateaued function on Vn . Hence ξ, L! takes the value of ±2n−r/2 or zero only. Therefore η, ℓ! must take the value of ±2n−r/2−q = ±2p−r/2 or zero only. This proves that g is a rth-order plateaued function on Vp . Hence r ≤ p and r ≤ n − q, i.e., q ≤ n − r. Assume that q = n − r. Then p = r. Then each η, ℓ! takes the value of ±2r/2 = ±2p/2 or zero only, where ℓ is any row of Hp . Hence applying Parseval’s equation (Lemma 4) to g, we can conclude that for each row ℓ of Hp , η, ℓ! cannot take the value of zero. In other words, for each row ℓ of Hp , η, ℓ! takes the value of ±2p/2 only. Hence we have proved that g is a bent function on Vp . Due to Theorem 2, f is partiallybent. Conversely, assume that f is partially-bent. Due to Theorem 2, g is a bent function on Vp . Hence each η, ℓ! takes the value of ±2p/2 only, where ℓ is any row of Hp . As both ζ and e are rows of Hq , ζ, e! takes the value 2q or zero only. We then conclude that ξ, L! takes the value ±2q+p/2 or zero only. Recall that f is a rth-order plateaued function on Vn . Hence q + p/2 = n − r/2. This implies that r = p, i.e., q = n − r. 8.3. Relationships between Partially-Bent Functions and Plateaued Functions To examine more profound relationships between partially-bent functions and plateaued functions, we introduce one more characterization of partially-bent functions as follows.
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
273
Theorem 23. For every function f on Vn , we have ΔM 2n − #I ≤ n (#R − 1), #I 2 where the equality holds if and only if f is partially-bent. Proof. From Notation 7, we have sM ≤ s0 = #I. As a consequence of (16), we obtain the inequality in the theorem. Next we consider the equality in the theorem. Assume that the equality holds, i.e., ΔM (#R − 1)#I = 2n (2n − #I). From (15), 2n (2n − #I) ≤
αj ∈R,j>0
|sj Δ(αj )| ≤ ΔM
αj ∈R,j>0
|sj | ≤ ΔM (#R − 1)#I. (27)
We can see that all the equalities in (27) hold. Hence ΔM (#R − 1)#I =
αj ∈R,j>0
|sj Δ(αj )|.
Note that |sj | ≤ #I and |Δ(αj )| ≤ ΔM , for j > 0. Hence we obtain |sj | = #I
whenever αj ∈ R and j > 0
(28)
and |Δ(αj )| = ΔM for all αj ∈ R with j > 0. Applying (28) to (17), and noticing 2n −1 2 2 2 that s0 = #I, we obtain #I · 2n = j=0 sj ≥ αj ∈R sj = (#R)(#I) . This results in 2n ≥ (#R)(#I). Together with the inequality in Theorem 2, it proves that (#R)(#I) = 2n , i.e., f is a partially-bent function. Conversely, assume that f is a partially-bent function, i.e., (#I)(#R) = 2n . Then the inequality in the theorem is specialized as ΔM (2n − #I) ≥ 2n (2n − #I).
(29)
We need to examine two cases. Case 1: #I = 2n . Obviously the equality in (29) holds. Case 2: #I =
2n . From (29), we have ΔM ≥ 2n . Thus ΔM = 2n . This completes the proof. Next we consider a non-bent function f . With such a function we have ΔM = 0. Thus from Theorem 23, we have the following result. Corollary 10. For every non-bent function f on Vn , we have (#I)(#R) ≥ 2n (2n − #I)/ΔM + #I where the equality holds if and only if f is partially-bent (but not bent). Proposition 8. For every non-bent function f , we have 2n (2n − #I)/ΔM + #I ≥ 2n where the equality holds if and only if #I = 2n or f has a nonzero linear structure. Proof. Since ΔM ≤ 2n , the inequality is obvious. On the other hand, it is easy to see that the equality holds if and only if (2n − ΔM )(2n − #I) = 0.
274
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
From Proposition 8, one observes that for any non-bent function f , Corollary 10 implies Theorem 2. Theorem 24. Let f be a rth-order plateaued function. Then the following statements are equivalent: (i) f is a partially-bent function, (ii) #R = 2n−r , (iii) ΔM (#R − 1) = 22n−r − 2n , (iv) the linearity q of f satisfies q = n − r. Proof. (i) =⇒ (ii). Since f is a partially-bent function, we have (#I)(#R) = 2n . As f is a rth-order plateaued function, #I = 2r and hence #R = 2n−r . (ii) =⇒ (iii). It is obviously true when r = n. For the case of r < n. Using Theorem 23, we have (2n − #I)/#I ≤ ΔM (#R − 1)/2n which is specialized as 2n−r − 1 ≤
ΔM n−r (2 − 1). 2n
(30)
From (30) and the fact that ΔM ≤ 2n , we obtain 2n−r − 1 ≤ ΔM (2n−r − 1)/2n ≤ 2n−r − 1. Hence ΔM = 2n or r = n. (iii) obviously holds when ΔM = 2n . When r = n, we have #R = 1 and hence (iii) also holds. (iii) =⇒ (i). Note that (iii) implies (2n − #I)/#I = ΔM (#R − 1)/2 where #I = 2r . By Theorem 23, f is partially-bent. Due to Theorem 22, (iv) ⇐⇒ (i). 8.4. Constructing Plateaued Functions and Disproof of the Converse of Proposition 4 8.4.1. Disproof of the Converse of Proposition 4 Lemma 27. For any positive integers t and k with k < 2t < 2k , there exist k + 1 nonzero vectors in Vk , say γ0 , γ1 , . . . , γk , such that for any nonzero vector γ ∈ Vk , we have ( γ0 , γ!, γ1 , γ!, . . . , γk , γ!) = (0, 0, . . . , 0) and ( γ0 , γ!, γ1 , γ!, . . . , γk , γ!) = (1, 1, . . . , 1). Proof. We choose k linearly independent vectors in Vk , say γ1 , . . . , γk . From linear algebra, ( γ1 , γ!, . . . , γk , γ!) goes through all the nonzero vectors in Vk exactly once while γ goes through all the nonzero vectors in Vk . Hence there exists a unique γ ∗ satisfying ( γ1 , γ ∗ !, . . . , γk , γ ∗ !) = (1, . . . , 1) and hence for any nonzero vector γ ∈ Vk with γ = γ ∗ , { γ1 , γ!, . . . , γk , γ!} contains both one and zero. Let γ0 be a nonzero vec/ {γ1 , . . . , γk }. It is easy to see that tor in Vk , such that γ0 , γ ∗ ! = 0. Obviously γ0 ∈ γ0 , γ1 , . . . , γk satisfy the property in the lemma. Let t and k be positive integers with k < 2t < 2k . Set n = t + k and r = 2n − 2k = 2t. We now prove the existence of balanced rth-order plateaued functions on Vn and disproves the converse of Proposition 4. We will not discuss nth-order and 0th-order plateaued function on Vn as they are simply bent and affine functions respectively. Since t < k, there exists a mapping P from Vt to Vk satisfying (i) P (β) = P (β ′ ) if β = β ′ , (ii) γ0 , γ1 , . . . , γk ∈ P (Vt ), where P (Vt ) = {P (β) | β ∈ Vt }, (iii) 0 ∈ / P (Vt ), where 0 denotes the zero vector in Vk .
We define a function f on Vt+k as f (x) = f (y, z) = P (y)z T . where x = (y, z), y ∈ Vt and z ∈ Vk . Denote the sequence of f by ξ. Let L be a row of Ht+k . Hence
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
275
L = e × ℓ where e is a row of Ht and ℓ is a row of Hk . Once again from the properties of Sylvester–Hadamard matrices, L is the sequence of a linear function Vt+k , denoted by ψ, ψ(x) = α, x!, α = (β, γ) and x = (y, z) where y, β ∈ Vt and z, γ ∈ Vk . Hence ψ(x) = β, y! ⊕ γ, z!. Note that
ξ, L! =
(−1)P (y)z
T
⊕β,y⊕γ,z
y∈Vt ,z∈Vk
=
(−1)β,y
y∈Vt
=
2k 0
(−1)(P (y)⊕γ)z
T
z∈Vk
β,y P (y)=γ (−1)
= 2k (−1)β,P
−1
(γ)
if P −1 (γ) exists, otherwise.
(31)
Thus f is a rth-order plateaued function on Vn . Next we prove that f has no nonzero linear structures. Let α = (β, γ) be a nonzero vector in Vt+k where β ∈ Vt and γ ∈ Vk . Δ(α) = ξ, ξ(α)! =
(−1)P (y)z
T
⊕P (y⊕β)(z⊕γ)T
y∈Vt ,z∈Vk
=
y∈Vt
(−1)P (y⊕β)γ
T
T
(−1)(P (y)⊕P (y⊕β))z .
(32)
z∈Vk
There exist two cases to be considered: β = 0 and β = 0. When β = 0, due to the prop T erty (i) of P , we have P (y) = P (y ⊕β). Hence we have z∈Vk (−1)(P (y)⊕P (y⊕β))z = 0 from which it follows that Δ(α) = 0. On the other hand, when β = 0, we have T Δ(α) = 2k y∈Vt (−1)P (y)γ . Due to Lemma 27, P (y)γ T cannot be a constant. Hence P (y)γ T
= ±2t which implies that Δ(α) = 2t+k . Thus we can conclude y∈Vt (−1) that f has no nonzero linear structures. Finally, due to the property (iii) of P , f must be balanced. Therefore we have Lemma 28. Let k, t be possible integers with k < 2t < 2k , n = t + k and r = 2t. Then there exists a balanced rth-order plateaued function on Vn that does not have a nonzero linear structure. Lemma 28 not only indicates the existence of balanced plateaued function of any order r with 0 < r < n, but also shows that the converse of Proposition 4 is not true. f has some other interesting properties. In particular, due to Proposition 5, the nonlinearity Nf of f satisfies Nf = 2n−1 − 2n−r/2−1 . Since f is not partially-bent, Theorem 2 tells us that (#I)(#R) > 2n . This proves that #R > 2n−r . Now we summaries the relationships among bent, partially-bent and plateaued functions. Let Bn denote the set of bent functions on Vn , Pn denote the set of partially-bent functions on Vn and Fn denote the set of plateaued functions on Vn . Then the above results imply that Bn ⊂ Pn ⊂ Fn , where ⊂ denotes the relationship of proper subset. We further let Gn denote the set of plateaued functions on Vn that do not have nonzero linear structures and are not bent functions. Lemma 28 ensures that Gn is non-empty.
276
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
8.4.2. Constructing Balanced rth-Order Plateaued Functions Satisfying SAC Next we consider how to improve the function in the proof of Lemma 28 so as to obtain a rth-order plateaued function on Vn satisfying the strictly avalanche criterion (SAC), in addition to all the properties mentioned in Section 8.4.1. Note that if r > 2, i.e., t > 1, then from Section 8.4.1, we have #R ≤ 2n−r/2 < 2n−1 . In other words, #Rc > 2n−1 where Rc denotes the complementary set of R. Hence there exist n linearly independent vectors in Rc . In other words, there exist n linearly independent vectors with respect to which f satisfies the avalanche criterion. Hence we can choose a nonsingular n × n matrix A over GF(2) such that g(x) = f (xA) satisfies the SAC (see [25]). The nonsingular linear transformation A does not alter any of the properties of f discussed in Section 8.4.1. Thus we have Theorem 25. Let n be a positive number and r be any even number with 0 < r < n. Then there exists a balanced rth-order plateaued function on Vn that does not have a nonzero linear structure and satisfies the SAC. 8.4.3. Constructing Balanced rth-Order Plateaued Functions Satisfying SAC and Having Maximum Algebraic Degree We can further improve the function described in Section 8.4.2 so as to obtain a rthorder plateaued functions on Vn that have the highest algebraic degree and satisfy all the properties mentioned in Section 8.4.2. Theorem 1 in Chapter 13 of [2] allows us to verify that the following lemma is true. Theorem 26. Let k, t be possible integers with k < 2t < 2k , n = t + k and r = 2t. Then there exists a balanced rth-order plateaued function on Vn that does not have a nonzero linear structure, satisfies the SAC and has the highest possible algebraic degree r/2 + 1. 8.4.4. Constructing Balanced rth-Order Plateaued and Correlation Immune Functions Let f be a function on Vn , ξ be the sequence of f and ℓi denote the ith row of Hn , i = 0, 1, . . . , 2n − 1. Recall that in Notation 3 we defined If = {i ∈ {0, 1, . . . , 2n − 1} | ξ, ℓi ! = 0}. Now let I∗f = {αi | 0 ≤ i ≤ 2n − 1, i ∈ If }. I∗f will be used in the following description of constructing plateaued functions that are correlation immune. Lemma 29. Let f be a function on Vn , ξ be the sequence of f , and ℓi denote the ith row of Hn . Also let W be an r-dimensional linear subspace of Vn such that I∗f ⊆ W , and s = ⌊n/r⌋ where ⌊n/r⌋ denotes the maximum integer not larger than n/r. Then there exists a nonsingular n × n matrix B on GF(2) such that h(y) = g(yB) is an (s − 1)th-order correlation immune function. Theorem 27. Let t and k be positive integers with k < 2t < 2k . Let n = k + t and r = 2t. Then there exists a rth-order plateaued function on Vn that is also an (s − 1)thorder correlation immune function, where s = ⌊n/(r + 1)⌋ or s = ⌊(t + k)/(2t + 1)⌋, and does not have a nonzero linear structure. Other constructions of plateaued functions can be found in [26].
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
277
9. Relationships among Avalanche, Nonlinearity, and Correlation Immunity 9.1. A Tight Lower Bound on Nonlinearity of Boolean Functions Satisfying Avalanche Criterion of Degree p Lemma 30. Let (a0 , a1 , . . . , a2n −1 ) and (b0 , b1 , . . . , b2n −1 ) be two real-valued sequences of length 2n , satisfying (a0 , a1 , . . . , a2n −1 )Hn = (b0 , b1 , . . . , b2n −1 ). Let p be an integer with 1 ≤ p ≤ n − 1. For any fixed i with 0 ≤ i ≤ 2n−p − 1 and any fixed j with 0 ≤ j ≤ 2p − 1, let χi = (ai·2p , a1+i·2p , . . . , a2p −1+i·2p ) and λj = (bj , bj+2p , bj+2·2p , . . . , bj+(2n−p −1)2p ). Then we have 2n−p χi , ej ! = λj , ℓi !,
i = 0, 1, . . . , 2n−p − 1, j = 0, 1, . . . , 2p − 1,
(33)
where ℓi denotes the ith row of Hn−p and ej denotes the jth row of Hp . Lemma 30 can be viewed as a refined version of the Hadamard transformation (a0 , a1 , . . . , a2n −1 )Hn = (b0 , b1 , . . . , b2n −1 ) and it will be a useful mathematical tool in proving the following two lemmas. These two lemmas will then play a significant role in proving the main results of this paper. Lemma 31. Let f be a non-bent function on Vn , satisfying the avalanche criterion of degree p. Denote the sequence of f by ξ. If there exists a row L∗ of Hn such that | ξ, L∗ !| = 2n−p/2 , then α2t+p +2p −1 is a nonzero linear structure of f , where α2t+p +2p −1 is the vector in Vn corresponding to the integer 2t+p + 2p − 1, t = 0, 1, . . . , n − p − 1. Lemma 32. Let f be a non-bent function on Vn , satisfying the avalanche criterion of degree p. Denote the sequence of f by ξ. If there exists a row L∗ of Hn , such that | ξ, L∗ !| = 2n−p/2 , then p = n − 1 and n is odd. Theorem 28. Let f be a function on Vn , satisfying the avalanche criterion of degree p. Then (i) the nonlinearity Nf of f satisfies Nf ≥ 2n−1 − 2n−1−p/2 , (ii) the equality in (i) holds if and only if one of the following two conditions holds: (a) p = n−1, n is odd and f (x) = g(x1 ⊕xn , . . . , xn−1 ⊕xn )⊕h(x1 , . . . , xn ), where x = (x1 , . . . , xn ), g is a bent function on Vn−1 , and h is an affine function on Vn ; (b) p = n, f is bent and n is even. 9.2. Relationships between Avalanche and Correlation Immunity Next we look at the structure of a function on Vn that satisfies the avalanche criterion of degree n − 1. Lemma 33. Let f be a function on Vn . Then (i) f is non-bent and satisfies the avalanche criterion of degree n − 1, if and only if n is odd and f (x) = g(x1 ⊕ xn , . . . , xn−1 ⊕ xn ) ⊕ c1 x1 ⊕ · · · ⊕ cn xn ⊕ c, where x = (x1 , . . . , xn ), g is a bent function on Vn−1 , and c1 , . . . , cn and c are all constants in GF(2);
278
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
(ii) f is balanced and satisfies the avalanche criterion of degree n − 1, if and only if n is odd and f (x) = g(x1 ⊕ xn , . . . , xn−1 ⊕ xn ) ⊕ c1 x1 ⊕ · · · ⊕ cn xn ⊕ c, where g is a bent 3 function on Vn−1 , and c1 , . . . , cn and c are all constant in n GF(2), satisfying j=1 cj = 1.
9.2.1. The Case of Balanced Functions
Theorem 29. Let f be a balanced qth-order correlation immune function on Vn , satisfying the avalanche criterion of degree p. Then we have p + q ≤ n − 2. 9.2.2. The Case of Unbalanced Functions We turn our attention to unbalanced functions. A direct proof of the following Lemma can be found in [17]. Lemma 34. Let k ≥ 2 be a positive integer and 2k = a2 + b2 , where both a and b are integers with a ≥ b ≥ 0. Then a = 2k/2 and b = 0 when k is even, and a = b = 2(k−1)/2 otherwise. Theorem 30. Let f be an unbalanced qth-order correlation immune function on Vn , satisfying the avalanche criterion of degree p. Then (i) p + q ≤ n, (ii) the equality in (i) holds if and only if n is odd, p = n − 1, q = 1 and f (x) = g(x1 ⊕xn , . . . , xn−1 ⊕xn )⊕c1 x1 ⊕· · ·⊕cn xn ⊕c, where x = (x1 , . . . , xn ), g is a3bent function on Vn−1 , c1 , . . . , cn and c are all constants in GF(2), satisfying n j=1 cj = 0.
Theorem 31. Let f be an unbalanced qth-order correlation immune function on Vn , satisfying the avalanche criterion of degree p. If p + q = n − 1, then f also satisfies the avalanche criterion of degree p + 1, n is odd and f must take the form mentioned in (ii) of Theorem 30. From Theorems 30 and 31, we conclude
Corollary 11. Let f be an unbalanced qth-order correlation immune function on Vn , satisfying the avalanche criterion of degree p. Then (i) p + q ≤ n, and the equality holds if and only if n is odd, p = n − 1, q = 1 and f (x) = g(x1 ⊕ xn , . . . , xn−1 ⊕ xn ) ⊕ c1 x1 ⊕ · · · ⊕ cn xn ⊕ c, where x = (x1 , . . . , xn ), g is a bent 3n function on Vn−1 , c1 , . . . , cn and c are all constants in GF(2), satisfying j=1 cj = 0, (ii) p + q ≤ n − 2 if q = 1. When a correlation immune function is balanced, it is said to be cryptographically resilient. Analogous to order of correlation immunity, we can define order of resiliency for a cryptographically resilient function. Further results on relationships between nonlinearity and correlation immunity can be found in [27,28,29,30,31]. In addition, authors of [32] presented new construction methods for balanced Boolean functions with such desirable cryptographic properties as balance, hight nonlinearity, good avalanche characteristics and correlation immunity.
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
279
10. Concluding Remarks Cryptographic Boolean functions remain a fascinating area of research both to theoreticians and practitioners. Recent progress in cryptanalysis made by Xiaoyun Wang and co-workers [33] indicated that sometimes a cryptographic algorithm may still be vulnerable even though the algorithm employs Boolean functions with highly desirable nonlinear properties. This, however, should not be interpreted as an indication that nonlinear Boolean functions are irrelevant to cryptographic algorithms. A more prudent view is that nonlinear Boolean functions need to be applied in an appropriate way that enhances the security of a cryptographic algorithm. Identifying methods or best practices for applying nonlinear Boolean functions that strengthen the security of cryptographic algorithms is an important area worth further research.
References [1] C. Carlet, Partially-bent functions, Designs, Codes and Cryptography 3 (1993), 135–145. [2] F.J. MacWilliams and N.J.A. Sloane, The Theory of Error-Correcting Codes, North-Holland, Amsterdam, New York, Oxford, 1977. [3] J. Seberry, X.M. Zhang, and Y. Zheng, Nonlinearity and propagation characteristics of balanced Boolean functions, Information and Computation 119(1) (1995), 1–13. [4] W. Meier and O. Staffelbach, Nonlinearity criteria for cryptographic functions, Proc. of EUROCRYPT’89, Lecture Notes in Computer Science 434 (1990), Springer-Verlag, Berlin, Heidelberg, New York, 549–562. [5] B. Preneel, W.V. Leekwijck, L.V. Linden, R. Govaerts, and J. Vandewalle, Propagation characteristics of Boolean functions, Proc. of EUROCRYPT’90, Lecture Notes in Computer Science 437 (1991), SpringerVerlag, Berlin, Heidelberg, New York, 155–165. [6] H. Feistel, Cryptography and computer privacy, Scientific American 228(5) (1973), 15–23. [7] D. Coppersmith, The development of DES, Invited talk at CRYPTO’2000. [8] E. Biham and A. Shamir, Differential cryptanalysis of DES-like cryptosystems, Journal of Cryptology 4(1) (1991), 3–72. [9] M. Matsui, Linear cryptanalysis method for DES cipher, Proc. of EUROCRYPT’93, Lecture Notes in Computer Science 765 (1994), Springer-Verlag, Berlin, Heidelberg, New York, 386–397. [10] X.M. Zhang and Y. Zheng, GAC—the criterion for global avalanche characteristics of cryptographic functions, Journal of Universal Computer Science 1(5) (1995), 316–333, http://www.jucs.org/. [11] T. Siegenthaler, Correlation-immunity of nonlinear combining functions for cryptographic applications, IEEE Transactions on Information Theory IT-30(5) (1984), 776–779. [12] P. Camion, C. Carlet, P. Charpin, and N. Sendrier, On correlation-immune functions, Proc. of CRYPTO’91, Lecture Notes in Computer Science 576 (1991), Springer-Verlag, Berlin, Heidelberg, New York, 87–100. [13] Xiao Guo-Zhen and J. L. Massey, A spectral characterization of correlation-immune combining functions, IEEE Transactions on Information Theory 34(3) (1988), 569–571. [14] O.S. Rothaus, On “bent” functions, Journal of Combinatorial Theory, Ser. A 20 (1976), 300–305. [15] J. Wang, The linear kernel of Boolean functions and partially-bent functions, System Science and Mathematical Science 10 (1997), 6–11. [16] N.J. Patterson and D.H. Wiedemann, The covering radius of the (215 , 16) Reed–Muller code is at least 16276, IEEE Transactions on Information Theory IT-29(3) (1983), 354–356. [17] X.M. Zhang and Y. Zheng, Characterizing the structures of cryptographic functions satisfying the propagation criterion for almost all vectors, Design, Codes and Cryptography 7(1/2) (1996), 111–134. Special issue dedicated to Gus Simmons. [18] J. Seberry, X.M. Zhang, and Y. Zheng, The relationship between propagation characteristics and nonlinearity of cryptographic functions, Journal of Universal Computer Science 1(2) (1995), 136–150, http://www.jucs.org/.
280
Y. Zheng and X.-M. Zhang / On Balanced Nonlinear Boolean Functions
[19] R. L. Graham, M. Grötschel, and L. Lovász (eds.), Handbook of Combinatorics, volume I, Elsevier Science B. V., 1995. [20] X.M. Zhang, J. Pieprzyk, and Y. Zheng, Algebraic immunity and annihilators, Proc. of the 9th International Conference on Information Security and Cryptology (ICISC’2006), Busan, Korea, Lecture Notes in Computer Science 4296 (2006), Springer-Verlag, Berlin, Heidelberg, New York, 65–80. [21] Y. Zheng and X.M. Zhang, Plateaued functions, Proc. of ICICS’99, Lecture Notes in Computer Science 1726 (1999), Springer-Verlag, Berlin, Heidelberg, New York, 284–300. [22] X.M. Zhang and Y. Zheng, On plateaued functions, IEEE Transactions on Information Theory IT-47(3) (2001), 1215–1223. [23] F. Erwe, Differential And Integral Calculus, Oliver and Boyd Ltd, Edinburgh and London, 1967. [24] X.M. Zhang, Y. Zheng, and H. Imai, Duality of Boolean functions and its cryptographic significance, Proc. of ICICS’97, Lecture Notes in Computer Science 1334 (1997), Springer-Verlag, Berlin, Heidelberg, New York, 159–169. [25] J. Seberry, X.M. Zhang, and Y. Zheng, Improving the strict avalanche characteristics of cryptographic functions, Information Processing Letters 50 (1994), 37–41. [26] C. Carlet and E. Prouff, On plateaued functions and their constructions, Proc. of Fast Software Encryption 2003, Lecture Notes in Computer Science 2887 (2003), Springer-Verlag, Berlin, Heidelberg, New York, 54–73. [27] S. Maitra and P. Sarkar, Highly nonlinear resilient functions optimizing Siegenthaler’s inequality, Proc. of CRYPTO’1999, Lecture Notes in Computer Science 1666 (1999), Springer-Verlag, Berlin, Heidelberg, New York, 198–215. [28] P. Sarkar and S. Maitra, Nonlinearity bounds and constructions of resilient Boolean functions, Proc. of CRYPTO’2000, Lecture Notes in Computer Science 1880 (2000), Springer-Verlag, Berlin, Heidelberg, New York, 515–532. [29] Y. Tarannikov, On resilient Boolean functions with maximal possible nonlinearity, Proc. of Indocrypt’2000, Lecture Notes in Computer Science 1977 (2000), Springer-Verlag, Berlin, Heidelberg, New York, 19–30. [30] Y. Zheng and X.M. Zhang, Improved upper bound on the nonlinearity of high order correlation immune functions, Proc. of the 7th Annual International Workshop on Selected Areas in Cryptography (SAC’2000), Lecture Notes in Computer Science 2012 (2001), Springer-Verlag, Berlin, Heidelberg, New York, 264–274. [31] Y. Tarannikov, P. Korolev, and A. Botev, Autocorrelation coefficients and correlation immunity of Boolean functionstions, Proc. of ASIACRYPT’2001, Lecture Notes in Computer Science 2248 (2001), Springer-Verlag, Berlin, Heidelberg, New York, 460–479. [32] P. Sarkar and S. Maitra, Constructions of highly nonlinear balanced Boolean functions with important cryptographic properties, Proc. of EUROCRYPT’2000, Lecture Notes in Computer Science 1807 (2000), Springer-Verlag, Berlin, Heidelberg, New York, 485–506. [33] Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu, Finding Collisions in the Full SHA-1, Proc. of CRYPT’2005, Lecture Notes in Computer Science 3621 (2005), Springer-Verlag, Berlin, Heidelberg, New York, 17–36.
Students’ Talks
This page intentionally left blank
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-283
283
On Properties of Correlation Immune Functions with High Nonlinearity Anton BOTEV Lomonosov University, Moscow, Russia Abstract. We present a new large family of correlation immune Boolean functions having high nonlinearity. This family includes some known classes of highly nonlinear m-resilient functions as particular cases. We state that functions of this family have a growing algebraic immunity (together with the growth of inputs). Veloc√ ity of such a growth is at least Ω( n). Keywords. Boolean function, correlation immunity, algebraic immunity, nonlinearity
Introduction In this paper we give a consideration to certain tradeoffs between some important cryptographical parameters of balanced Boolean functions, namely: nonlinearity, correlation immunity and algebraic immunity. Such parameters are considered as crucial when using Boolean functions as generating functions in Linear Feedback Shift Registers. They have complex tradeoffs between each another, so in some cases there is no function having even two optimal parameters at the same time. So, the general approach in learning cryptographically “good” functions is to fix some of the parameters and try to tune up the others. Historically the first tradeoff of such a kind was the tradeoff between nonlinearity and correlation immunity. Three groups of researchers, Sarkar and Maitra [1], Tarannikov [2], Zheng and Zhang [3], proved that for an n-variable mth order correlation immune Boolean function f , n − m ≥ 1, the inequality nl(f ) ≤ 2n−1 − 2m holds. Moreover, if f is balanced (i. e. m-resilient), n − m ≥ 2, then nl(f ) ≤ 2n−1 − 2m+1 . Moreover, Tarannikov constructed [4] a recursive (growing with respect to n the sequence of m-resilient functions having best possible nonlinearity (0.6n − 1 ≤ m ≤ n − 2). Further we propose the family of functions having Tarannikov’s construction as a particular case. After that Pasalic, Maitra, Johansson and Sarkar proposed [5] another recursive construction of functions with maximal nonlinearity based on Tarannikov’s functions. These functions are the particular case of our construction, too. Then, fixing both nonlinearity and correlation immunity we can check up the value of a relatively new [6] concept of algebraic immunity. The notion of algebraic immunity was emerged with appearance of algebraic attack proposed in 2005 [7]. High algebraic immunity may conflict with other criteria. Existing examples [8,9] have not good enough other cryptographically important parameters, or they are not controlled.
284
A. Botev / On Properties of Correlation Immune Functions with High Nonlinearity
It turned out, however, that for a new family of Boolean functions the value of algebraic immunity is growing together with the growth of inputs n (and, accordingly, of √ nonlinearity and of correlation immunity), with velocity not less than Ω( n).
1. Basic Definitions and Background We consider the binary vector space of n-variable Boolean functions, i.e., the space of functions from Fn2 to F2 . Every Boolean function can be written in an unique way as an n-variable polynomial over Fn2 where the degree of each variable is at most 1 using Algebraic Normal Form (ANF): f (x1 , . . . , xn ) =
%
a1 ,...,an ∈Fn 2
g(a1 , . . . , an )xa1 1 · · · xann ,
where g is also function over Fn2 . Algebraic degree of f (deg f is the number of variables in the longest term of ANF. A function is said to be affine iff deg f ≤ 1. The weight of a Boolean function f (or wt(f ))is the number of vectors x over Fn2 such that f (x) = 1. The distance between functions f and g is the weight of f ⊕ g. A function f is said to be balanced if wt(f ) = wt(f ⊕ 1) = 2n−1 . The nonlinearity of f is the minimal distance between f and the set of all affine functions. A Boolean function f is said to be correlation immune of order m if the output and every m inputs of f are statistically independent. If in addition f is balanced then it is said to be m-resilient. Correlation immunity of f is the maximal value of m holding m-immunity of f . Finally, algebraic immunity of f is the minimal degree of a nontrivial annihilator either of f or of f + 1, i.e., the minimal degree of a function g such that either f · g = 0 or (f + 1) · g = 0). 1.1. Known Tradeoffs between Cryptographically Significant Properties 1.1.1. Correlation Immunity vs Nonlinearity Sarkar, Maitra [1], Tarannikov [2], Zheng, Zhang [3], 2000: For an n-variable mth order correlation immune Boolean function f , n − m ≥ 1, the inequality nl(f ) ≤ 2n−1 − 2m holds. Moreover, if f is balanced (i.e., m-resilient), n − m ≥ 2, then nl(f ) ≤ 2n−1 − 2m+1 .
Tarannikov, Fedorova [10], 2000: Constructions of n-variable m-resilient Boolean functions with the maximum possible nonlinearity 2n−1 − 2m+1 for m ≥ 0.5902 . . . n(1 + o(1)). 1.1.2. Correlation Immunity vs Algebraic Immunity No certain tradeoffs so far.
A. Botev / On Properties of Correlation Immune Functions with High Nonlinearity
285
1.1.3. Nonlinearity vs Algebraic Immunity Dalai, Gupta, Maitra [11], 2004:
nl(f ) ≥
AI(f )−2
n . i
=2
i=0
Lobanov [12], 2005: n−AI(f )
nl(f ) ≥ 2n−1 −
i=AI(f )−1
n−1 i
AI(f )−2
i=0
n−1 . i
Lobanov’s bound is tight for all possible pairs of n and AI(f ). 1.2. Other known results Courtois, Meier [7], 2003: For any Boolean function f of n variables AI(f ) ≤ ⌈n/2⌉. Didier, Tillich [13], 2006: “Almost all” balanced Boolean functions f of n variables have algebraic immunity approximately n/2. 1.3. Constructions of Functions with High Immunity Here we give examples of functions having high correlation immunity or high algebraic immunity. Note that there is no construction having both good algebraic immunity and good correlation immunity so far. 1.3.1. Algebraic Immunity Dalai, Gupta, Maitra [8], 2005: Functions with maximum possible algebraic immunity ⌈n/2⌉—recursive and direct constructions. Nonlinearity is not quite good, however, most of other cryptographically important parameters are not controlled. Braeken, Preenel [9], 2005: Algebraic immunity of some classes of symmetric functions. 1.3.2. Correlation Immunity—Tarannikov’s Construction [4] be (m + 1)-resilient function Let fn,1 ∈ Fn2 be m-resilient function and fn+1,2 ∈ Fn+1 2 (m ≤ n−2), and nl(fn,1 ) = 2n−1 −2m+1 , nl(fn+1,2 ) = 2n −2m+2 (both nonlinearities are maximal). Moreover, let fn+1,2 have some cryptographic property (existence of a pair of quasilinear variables). and fn+4,2 ∈ Fn+4 so that fn+3,1 is (m + 2)Then there exist fn+3,1 ∈ Fn+3 2 2 resilient and fn+4,2 is (m + 3)-resilient, and nonlinearities of fn+3,1 and fn+4,2 are maximal, too, and fn+4,2 has a pair of quasilinear variables. Construction takes place for 0.6n − 1 ≤ m ≤ n − 2.
286
A. Botev / On Properties of Correlation Immune Functions with High Nonlinearity
1.3.3. Correlation Immunity—Pasalic et al’s Construction [5] Let H 0 ∈ Fn2 be the initial function (having some cryptographic property) and H i be the ith function (after i iterations). Suppose that H 0 is m-resilient and it has the maximal nonlinearity. ′ Then let H i be H i after the changing of xn+3i and xn+3i+1 + xn+3i+2 . Further, ′ let F i+1 be H i + xn+3i+1 + xn+3i+2 and let Gi+1 be H i + xn+3i + xn+3i+2 . Then H i+1 is the concatenation of F i+1 and Gi+1 . Moreover, H i+1 is (m + 2i)resilient and has the maximal possible nonlinearity, and H i+1 has the same needed cryptographic property what H 0 has.
2. Generalization of Tarannikov and Pasalic et al’s Constructions Here we present a generalization of known recursive constructions of functions with the maximal nonlinearity and announce that this generalization has the maximal nonlinearity √ indeed and that this construction provides nonlinearity at least Ω( n). 2.1. Constructing Let 0.6n − 1 ≤ m ≤ n − 2. Let fn,0 and fn,1 are m-resilient Boolean functions on Fn2 having maximal nonlinearities 2n−1 − 2m+1 both. Let they have a pair of variables (linear for fn,0 and quasilinear for fn,1 ; definition of quasilinearity one can find in [4]). having maxThen fn+3,0 and fn+3,1 are m + 2-resilient Boolean functions on Fn+3 2 n+2 m+3 imal nonlinearities 2 −2 both. Moreover, they have a pair of variables which linear for fn+3,0 and quasilinear for fn+3,1 . These functions are definited as follows: fn+3,0 = xn+1 (fn,0 + fn,1 ) + σn,0 + xn+2 + xn+3 + hn,0 , fn+3,1 = xn+1 + xn+2 (fn,0 + fn,1 + σn,1 ) + xn+3 (fn,0 + fn,1 + σn,1 + 1) + hn,1 , where hn,0 , hn,1 ∈ {fn,0 , fn,1 , 1 + fn,0 , 1 + fn,1 } and σn,0 , σn,1 ∈ {0, 1}. Constructions of Tarannikov and of Pasalic et al are the particular cases of this construction. Particular values of hn,0 , hn,1 , σn,0 , σn,1 are as follows: • Tarannikov’s construction: hn,0 = fn,1 ,
hn,1 = fn,1 ,
σn,0 = 0,
σn,1 = 1.
hn,1 = fn,0 ,
σn,0 = 1,
σn,1 = 1.
• Pasalic et al’s construction: hn,0 = fn,0 ,
It’s easy to see that the number of possible functions after the ith iteration is 64i .
A. Botev / On Properties of Correlation Immune Functions with High Nonlinearity
287
2.2. Nonlinearity and Algebraic immunity Here we announce some properties of the given construction. The next theorem shows that functions obtained from the construction have the maximal possible nonlinearity: Theorem 1. Let f (i) be an m-resilient Boolean function obtained from fn,0 and fn,1 after i iterations. Then nl(f (i) ) = 2n−1 − 2m+1 . The next theorem states √ that the algebraic immunity of functions is growing with the velocity not less than Ω( n). Theorem 2. Let fn,0 and fn,1 be initial functions of the construction, and k = (i) (i) max{AI(fn,0 , AI(fn,1 )}. Then after at most i iterations fn,0 and fn,1 have algebraic immunities strictly greater than k. √ Corollary. This recursive construction provides algebraic immunity at least Ω( n).
Conclusion Thus, a wide class of recursive m-resilient (0.6n−1 ≤ m ≤ n−2) functions is obtained. Functions from this class have the best possible tradeoff between correlation immunity and nonlinearity and growing algebraic immunity.
References [1] P. Sarkar, S. Maitra, Nonlinearity bounds and constructions of resilient boolean functions, Proc. of Crypto 2000, Lecture Notes in Computer Science 1880 (2000), Springer-Verlag, 515–532. [2] Yu. Tarannikov, On resilient Boolean functions with maximal possible nonlinearity, Proc. of Indocrypt 2000, Calcutta, India, December 10–13, 2000, Lecture Notes in Computer Science 1977 (2000), Springer-Verlag, 19–30. [3] Y. Zheng, X.-M. Zhang, Improved upper bound on nonlinearity of high order correlation immune functions, Proceedings of the Seventh Annual Workshop on Selected Areas in Cryptography (SAC 2000), August 2000, Lecture Notes in Computer Science 2012 (2001), Springer-Verlag, 264–274. [4] Yu. Tarannikov, New constructions of resilient Boolean functions with maximal nonlinearity, Proc. of Fast Software Encryption (FSE 2001), Yokohama, Japan, April 2–4, 2001, Revised Papers, Lecture Notes in Computer Science 2355 (2002), Springer-Verlag, 66–77. [5] E. Pasalic, S. Maitra, T. Johansson, P. Sarkar, New constructions of resilient and correlation immune Boolean functions achieving upper bounds on nonlinearity, Workshop on Coding and Cryptography (WCC 2001), Paris, January 8–12, 2001, Electronic Notes in Discrete Mathematics, 6 (2001), Elsevier Science. [6] W. Meier, E. Pasalic, C. Carlet, Algebraic attack and decomposition of Boolean functions, Proc. of Eurocrypt 2004, Interlaken, Switzerland, May 2–6, 2004, Lecture Notes in Computer Science 3027 (2004), Springer-Verlag, 474–491. [7] N. Courtois, W. Meier, Algebraic attacks on stream ciphers with linear feedback, Proc. of Eurocrypt 2003, Warsaw, Poland, May 4–8, 2003, Lecture Notes in Computer Science 2656 (2003), SpringerVerlag, 345–357. [8] D.K. Dalai, K.C. Gupta, S. Maitra, Cryptographically significant Boolean functions: Construction and analysis in terms of algebraic immunity, Proc. of FSE 2005, Lecture Notes in Computer Science 3557 (2005), Springer-Verlag, 98–111. [9] A. Braeken, B. Preneel, On the algebraic immunity of symmetric Boolean functions, Report 2005/245 in http://eprint.iacr.org/, 2005.
288
A. Botev / On Properties of Correlation Immune Functions with High Nonlinearity
[10] M. Fedorova, Yu. Tarannikov, On the constructing of highly nonlinear resilient Boolean functions by means of special matrices, Proc. of Indocrypt 2001, Chennai, India, December 16–20, 2001, Lecture Notes in Computer Science 2247 (2001),Springer-Verlag, 254–266. [11] D.K. Dalai, K.C. Gupta, S. Maitra, Results on Algebraic immunity for cryptographically significant Boolean functions, Proc. of Indocrypt 2004, Lecture Notes in Computer Science 3348 (2004), SpringerVerlag, 92–106. [12] M. Lobanov, Tight Bound between Nonlinearity and Algebraic Immunity, Report 2005/441 in http://eprint.iacr.org/, 2005. [13] F. Didier, J.-P. Tillich, Computing the Algebraic Immunity Efficiently, Proc. of FSE 2006, Lecture Notes in Computer Science 4047 (2006), Springer-Verlag, 359–374.
289
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-289
Constructing Boolean Functions with Extremal Properties Andrey KHALYAVIN 1 Lomonosov University, Moscow, Russia Abstract. In this work we present a new way to construct 3-resilient Boolean functions of 9 variables with nonlinearity 240. Such function have been discovered very recently in [1] and [2] by a heuristic search. We find these functions by an exhaustive search in the class of functions symmetric under cyclic shifts of the first seven variables. The exhaustive search was reduced significantly by using of special techniques and algorithms which can be helpful in other similar problems. Also we construct some new functions that attain the upper bound on nonlinearity of higher number of variables. Keywords. Secret-key cryptography, Boolean function, resiliency, nonlinearity, fast algorithm
Introduction Boolean functions with high nonlinearity and correlation immunity have an important significance in cryptography since these functions allow to construct ciphers resistant to various attacks. In this work by means of an optimized computer exhaustive search we have constructed Boolean functions with extremal characteristics of nonlinearity and correlation immunity. More exactly, we construct (3 + 2i)-resilient functions of 9 + 3i variables with nonlinearity 28+3i − 24+2i , i ≥ 0. Our construction is different from constructions in [1] and [2] where a heuristic search was used.
1. Definitions and the Formulation of Main Result A Boolean function f is called m-resilient if for any substitution of any m constants instead of any arguments, the fraction of vectors where the obtained subfunction takes the value 1 is equal to one-half. The nonlinearity of a function f is the distance between this function and the class of linear functions. As the distance between functions we take the Hamming distance: d(f, g) = |{x : f (x) = g(x)}|. For m-resilient functions of n variables it was proved the upper bound on nonlinearity 2n−1 − 2m+1 [3,4,5]. It follows the problem of a construction of functions that attain this upper bound. Below we denote by (n, m, nl) the class of m-resilient functions of n variables with nonlinearity 1 Mech. & Math. Department, mail: [email protected].
Lomonosov
University,
119992
Moscow,
Russia;
E-
290
A. Khalyavin / Constructing Boolean Functions with Extremal Properties
nl. In the work [6] it were found all (7, 2, 56) (totally 72), (5, 1, 12) (totally 8) functions symmetrical relatively cyclic shifts of variables (so named rotation symmetrical functions). Also in [7] it were given direct constructions of (n, m, 2n−1 − 2m+1 ) functions for n − 2 ≥ m ≥ 0.6n − 1. In this paper we succeed to construct (9, 3, 240)-functions. Earlier these functions were looked in the class of rotation symmetrical functions but in [8] it was proved that this class does not contain desired functions. We will look for these functions in larger (by cardinality) class of functions invariant under cyclic shifts of only the first 7 arguments. We have checked also the class of functions invariant relatively cyclic shifts of the first 8 arguments but it does not appear (9, 3, 240) functions there. There are exist 20 classes of an equivalence for 7-dimension Boolean vectors relatively a cyclic shift. The last 2 bits increase the total number of equivalence classes up to 20 · 4 = 80. Thus, our space of search has the size 280 . The direct exhaustive search of such big number of functions is practically impossible in our time, therefore, we will use different methods based on some properties of Walsh coefficients in order to reduce the search space.
2. Walsh Coefficients of Desired Functions A Walsh coefficient of a Boolean function f is called the value Wf (u) =
(−1)f (x)+u,x .
x∈Fn 2
It is easy to express the nonlinearity of a function f via Walsh coefficients: nl(f ) = 2n−1 − (1/2) maxu∈Fn2 |Wf (u)|. The desired functions have the nonlinearity 240, so |Wf (u)| ≤ 32 for each u. On the other hand, by Sarkar Identity [9]
u∈Fn 2 ,u∈w
Wf (u) = 2n − 2|w|+1 wt(fw ),
where wt(f ) is the weight of the function f , fw is the function obtained from f by the substitution of ones instead of all variables at the positions of unit bits of w, u ∈ w is the majorization relation. The right side is always divisible by 32 because of 3-resiliency of our function. Individual Walsh coefficients can be easily expressed via sums of the left sides, therefore, they are divisible by 32 too. Thus, the Walsh coefficients can take only values 0, 32 and −32. Moreover, if the weight of u is less or equal to 3, we can substitute constants instead of variables at the positions of unit bits of u and obtain that Wf (u) =
xi1 ,xi2 ,...xik
(−1)xi1 +···+xik
(−1)f (x) = 0,
xj1 ,...xjl
where i1 , . . . , ik are unit bits of u whereas j1 , . . . , jl are zero bits of u.
A. Khalyavin / Constructing Boolean Functions with Extremal Properties
291
3. Definition and Properties of Matrix A It is obvious that under the permutation of variables the Walsh coefficients are permuted by the same way. Therefore it is possible to split them into the same 80 classes of an equivalence. We number these classes of an equivalence as c1 , . . . , c80 . cj be two classes of an equivalence. We define the numbers aij = Let ci and u,x (−1) where u ∈ cj (this expression does not depend on the choice of u since x∈ci under the permutation of coordinates neither the inner product nor the set of vectors x are not changed). All such numbers form the matrix which we denote by A. This matrix allows to calculate easily Walsh coefficients via the values of a function. Let us represent the function f by the row v where in the position i it is written 1 if f (x) = 0, x ∈ ci , and −1 if f (x) = 1, x ∈ ci . Let us represent the Walsh coefficients of the function f by the column w where wi = Wf (u), u ∈ ci . Then using the definition of the matrix A and the definition of Walsh coefficients we obtain that w = vA. Theorem 1. Let ci and cj be the classes of an equivalence whose representatives have the 8th bit equal to 0. Let ci′ and cj ′ be the classes of an equivalence obtained from ci and cj , correspondently, by reverting the 8th bit. Then aij = ai′ j = aij ′ = −ai′ j ′ . Proof. The sums for the numbers aij , ai′ j , aij ′ , ai′ j ′ are distinguished only by the multiplier (−1)u8 x8 . This multiplier is different from 1 only in the case u8 = 1 and x8 = 1 which corresponds to classes ci′ and cj ′ . A similar statement is true for the 9th bit. An idea to use the similar symmetry of the matrix A was stated in the work [8] but we have used more simple way to decompose the matrix A into 2 parts above. In [8] the class ci was mapped to ci which is obtained from ci by the inversion of the first 7 bits that gives one more way to decompose the matrix A into 2 parts. Thus, the choice of the family of functions invariant under cyclic shifts of some first variables generates a matrix with a rich family of symmetries that can also help in the solution of other problems.
4. The Algorithms of Exhaustive Search The symmetrical property of the matrix A allows to reduce an exhaustive search significantly. We split the classes of an equivalence into 2 groups. Put into G0 all classes that have elements with the 9th bit is equal to 0, and put into G1 all remained classes. We split vectors v and w that represent our function and Walsh coefficients, correspon B , and we obtain dently, by the same way. Then the matrix A takes the form B B −B w0 = v0 B + v1 B and w1 = v0 B − v1 B where B is the minor 40 × 40 of the matrix A formed by rows and columns from G0 . All coordinates in w0 and w1 are divisible by 32, therefore all coordinates in v0 B and v1 B are divisible by 16. In order to find all vectors v0 for which all coordinates z0 = v0 B are divisible by 16 we split G0 into 2 subgroups of |G0 |/2 = 20 elements (the way of a decomposition doesn’t matter). We split the vector v0 in the same way. Thus, we obtain z00 = v00 C0 + v01 C1 where the matrices C0 and C1 of size 20 × 40 are obtained after the decomposition of the matrix B into 2 parts according to the decomposition of G0 . Now we calculate the vectors v00 C0 and v01 C1 for all vectors v00 and v01 . We obtain two sets of 220 vectors. For all vectors
292
A. Khalyavin / Constructing Boolean Functions with Extremal Properties
v00 and v01 we construct the vectors of residues v00 C0 and −v01 C1 by modulo 16. Now we sort vectors according to these vectors of residues (we compare vectors of residues lexicographically). After this it is possible to select in each set the groups of vectors with the same vectors of residues and to find all pairs of groups from different sets which have the same vectors of residues in linear time. For each such pair of groups we obtain all possible desired vectors v0 combining all vectors from a group in the first set with all vectors from a group in the second set. Their number is appeared to be 8880903. Now for each vector v0 we construct the vector of residues of components v0 B by modulo 32 (its components will be only 0 and 16). In order to a pair of vectors v0 and v1 gives the vector w with coordinates divisible by 32, these vectors of residues must coincide. Therefore, we sort all vectors v0 according to their vectors of residues and find the groups of vectors with the same vectors of residues in linear time. Then for each pair of vectors from the same group we check the obtained vector w. If the vector w satisfies all conditions, we have found the required function since for 3-resiliency it is sufficient that all Walsh coefficients with the weight at most 3 are zeroes, and for the equality of the nonlinearity to 240 it is enough that all components of the vector w are upper bounded by 32. In fact, we check even more tight conditions. As a result, after 5 hours of calculations it were founded 423634 different 3-resilient functions with nonlinearity 240. The groups of vectors v0 with the same vectors of residues were relatively large: from 100 until 30000 vectors, therefore for the speeding up of calculations we applied additional methods. At first, if in some position in the vectors v0 B and v1 B the values are equal by modulo 32 then either in v0 B + v1 B or in v0 B − v1 B we obtain the number with the absolute value 64 in this position. Thus, the final vector w will not satisfy to our conditions. Therefore, for each vector v0 we constructed the mask in which for every position in the vector v0 B it was written 0 if the coordinate is less than 32 by the absolute value, and 1 otherwise. We deleted the positions with numbers comparable with 16 by modulo 32 from the mask since in these positions the result value 16 ± 16 of the vector’s w component is always equal to allowable value 0, 32 or −32. Thus, the necessary condition that a pair of vectors is desired is the absence of digits with 1 in both masks. This condition can by quickly checked by computer using the bitwise AND operator. Besides, the task of the search of disjoint masks can appear in other problems in the theory of Boolean functions. In the next section we describe algorithms that can speed up calculations in this case. The first of these algorithms was used in our calculations that had allowed to speed up the calculations a little more.
5. The Search of Disjoint Masks Suppose that we have t-bit masks m1 , . . . , mn that have uniform distribution over the Boolean cube B t . Theorem 2. Denote by k = n2 (3/4)t the average number of pairs of disjoint bit masks. There exists the algorithm of their finding using at most O(nα +k) time in average where α = log2 (1 + φ) = 1.388 . . ., φ = 1.618 . . . is the golden section. (We assume that we can check if two given masks are intersected using one operation.) Proof. We will prove the bound by induction on n. Moreover, we suppose that the first masks are choosing from some set of masks A and the second masks are choosing from
A. Khalyavin / Constructing Boolean Functions with Extremal Properties
293
some set of masks B. Let us assume that for n ≤ N we need C(nα + k) + C1 n log(n) operations in order to find all pairs of disjoint masks for |A| ≤ n, |B| ≤ n, and φC(nα + k) + C1 n log(n) operations in the case |A| ≤ n, |B| ≤ 2n. Let us prove these bounds for 2N ≥ n > N . Let |A| ≤ n, |B| ≤ n. If t = 0 then we simply output all possible pairs of masks. This requires Ck operations. In other case we split masks in A and B into 2 classes by the first bit. We put into A0 all masks that begin with 0, and put into A1 all masks that begin with 1. This requires C2 n operations. If the deviation |A1 | − |A|/2 is greater than n0.51 then we simply check all pairs of masks from A and B. Since the probability of this event is decreasing exponentially when n grows, it requires o(n) operations in average, therefore we can neglect this term. In the case of a small deviation, we start our algoritm recursively for the sets of masks A and B0 , and also A0 and B1 . The total number of operations will be at most C
n n + n0.51 log + n0.51 + k + C1 2 2 2 n α n n + n0.51 + k + C1 + n0.51 log + n0.51 + C2 n + φC 2 2 2 n α = (1 + φ)C + k + o(n) + o(n) + C1 n log(n) + C2 n − C1 log(2)n 2 1+φ ≤ C α (nα + k) + C1 n log(n) = Cnα + k + C1 n log(n). 2
n
+ n0.51
α
In the second inequality we use the fact that we can choose C1 as large as possible, in particular, greater than C2 / log(2). We have proved the first sentence of the theorem. For the second sentence (|A| ≤ n, |B| ≤ 2n) we act by the same way. The number of operations is at most n n + n0.51 log + n0.51 C((n + n0.51 )α + k) + C1 2 2 n α n n + n0.51 + k + C1 + n0.51 log + n0.51 + C2 n + φC 2 2 2
φ = C 1 + α (nα + k) + o(n) + C1 n log(n) + (C2 n − C1 log(2)n) 2
φ ≤C 1+ (nα + k) + C1 n log(n) = Cφ(nα + k) + C1 n log(n). 1+φ This algorithm was used in calculations. In reality the distribution of masks is not uniform and the algorithm works worse. It is possible to modify the algorithm for the case of unequal probabilities for the appearance of zero and one—we should just switch sets so that |A| < |B| (in the recursion call the sets A and B are used non symmetrically!). However, in this case it is hard to obtain a tight bound for the number of operations since the ratio of cardinalities of A and B can take an infinite set of values. It is possible to decrease the exponent α in the bound O(nα + n2 β t ) by increasing β. This kind of algorithms is effective when the number of solutions is very small (that is why they were not used in our case).
294
A. Khalyavin / Constructing Boolean Functions with Extremal Properties
Theorem 3. For any s there exists an algorithm of the finding of all pairs of disjoint masks which works for O(nα + n2 β t/s ) operations in average (in assumption that all masks are equiprobable) where β = 1−2·2−s +3·2−2s , α = 1+1/s, |A| ≤ n, |B| ≤ n. Proof. If t < s, we simply check all pairs of masks that demands Cn2 = O(n2 β t ) operations. In the opposite case we split all masks in |A| and |B| into 3 groups: we put into A0 and B0 all masks where the first s bits are equal to 1, we put into A1 and B1 all masks where the first s bits are equal to 0, and we put into A2 and B2 all remained masks. Then we solve subproblems for the pairs of sets (A0 , B1 ), (A1 , B0 ), (A1 ∪A2 , B1 ∪B2 ). We will prove the bound on the number of operations by induction. By the same way as in the previous theorem it is possible to neglect the nonuniformity of the distribution of sets into parts and the linear number of operations for the fulfillment of this decomposition. Then we can estimate the number of operations by the value C
n α
n α n2 β t/s−1 n2 β t/s−1 + C + C 2s 22s 2s 22s
α
2 1 1 2 t/s−1 + Cn β +C n 1− s 1− s 2 2
α 2 K
α
1 1 2 1 α 2 t/s + 1− s + 1− s = Cn 2 β + Cn β 2s 2 22s 2
α
1 2 α + 1− s = Cn + Cn2 β t/s 2s+1 2
1 1 α < Cn + 1− s + Cn2 β t/s = Cnα + Cn2 β t/s . 2s 2 +C
This proves the inductive step (the base is obvious since we can take as large constant C as we want).
6. The Analysis of Constructed Functions For each of 423634 functions we have considered 4 subfunctions of 7 variables (decomposing by the last 2 variables) and calculated the degree of their resiliency. It is appears that in 400594 functions all subfunctions are only 1-resilient and in 23040 functions all subfunctions are 2-resilient. It is not appeared functions in which the part of subfunctions are 1-resilient and the part of subfunctions are 2-resilient. Moreover, it is appeared that the nonlinearity of these 2-resilient subfunctions is equal either 48 or 56, and also the number of subfunctions with nonlinearity 56 can be equal to either 0 (4608 functions) or 2 (18432 functions). The example of a function without subfunctions with nonlinearity 56: 791C92A7 6B5499A9 1AECE525 9C2762D9
1EE2C659 349EC636 65936A99 C3E2971C
9867C768 D0AB1E65 CB3116DA A55A6768
A5693996 2FC1D269 E14E3C96 3C5998A7.
A. Khalyavin / Constructing Boolean Functions with Extremal Properties
295
The example of a function with two subfunctions with nonlinearity 56: F5191A96 8CA76E51 635A91EC 619A9E66
1A6C9CE3 C36539B8 B49AC707 9E656169
38C6C9A7 A7D0619B 5C2B3E64 1EE5E119
96A76750 721E5C8E 8DD1A279 C338699E.
Also it were found 3840 functions which are decomposed into two 3-resilient subfunctions of 8 variables with nonlinearity 112 (we decompose by the last variable). It allows (see [10]) to construct functions of the form (9 + 3i, 3 + 2i, 28+3i − 24+2i ). The example of a function that admits such decomposition: 96C307DA E5919C3A 619A9E66 E51B1AD4
AA71B54C 1C8F7266 9E656169 926C9DA3
664EF138 32AD8E55 1EE5E119 3CC269A7
5C3989A7 5BE0C369 C338699E 96976658.
Acknowledgements The author is deeply grateful to his scientific supervisor Prof. Yuriy Tarannikov for the formulation of the problem, attention to the work and valuable advices.
References [1] Z. Saber, M. Faisal Uddin, and A. Youssef, On the existence of (9, 3, 5, 240) resilient functions, IEEE Transactions on Information Theory 52(5) (2006), 2269–2270. [2] S. Kavut, M. Yucel, and S. Maitra, Construction of Resilient Functions by the Concatenation of Boolean Functions Having nonintersecting Walsh Spectra, In Third International Workshop on Boolean Functions: Cryptography and Applications (BFCA’07), May 2–3, 2007, Paris, France. [3] P. Sarkar and S. Maitra, Nonlinearity bounds and constructions of resilient Boolean functions, Proc. of Crypto’2000, Lecture Notes in Computer Science 1880 (2000), 515–532. [4] Yu. Tarannikov, On resilient Boolean functions with maximal possible nonlinearity, Proc. of Indocrypt’2000, Lecture Notes in Computer Science 1977 (2000), Springer-Verlag, 19–30. [5] Y. Zheng and X.-M. Zhang, Improved upper bound on the nonlinearity of high order correlation immune functions, Proc. of 7th Annual International Workshop on Selected Areas in Cryptography (SAC’2000), Lecture Notes in Computer Science 2012 (2001), Springer-Verlag, 264–274. [6] P. Stanica and S. Maitra, Rotation symmetric Boolean functions—count and cryptographic properties. Proc. of R.C. Bose Centenary Symposium on Discrete Mathematics and Applications, Indian Statistical Institute, Calcutta, December 2002, Electronic Notes in Discrete Mathematics 15, Elsevier. [7] Yu. Tarannikov, New constructions of resilient Boolean functions with maximal nonlinearity, Proc. of 8th Fast Software Encryption Workshop (FSE 2001), Yokohama, Japan, April 2–4, 2001, Revised Papers, Lecture Notes in Computer Science 2355 (2002), Springer-Verlag, 66–77. [8] A. Maximov, M. Hell, and S. Maitra, Plateaued rotation symmetric Boolean functions on odd number of variables, Cryptology ePrint Archive, Report 2004/144, http://eprint.iacr.org/. [9] P. Sarkar, Spectral domain analysis of correlation immune and resilient Boolean functions, Cryptology ePrint Archive, Report 2000/049, http://eprint.iacr.org/. [10] E. Pasalic, S. Maitra, T. Johansson, and P. Sarkar, New constructions of resilient and correlation immune Boolean functions achieving upper bounds on nonlinearity, Proc. of Workshop on Coding and Cryptography (WCC’2001), Paris, January 8–12, 2001, Electronic Notes in Discrete Mathematics 6, Elsevier Science, 2001.
296
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-296
Tight Bounds between Algebraic Immunity and Nonlinearities of High Orders Mikhail LOBANOV 1 Lomonosov University, Moscow, Russia Abstract. Among cryptographically significant characteristics of Boolean functions used in symmetric ciphers the algebraic immunity and the nonlinearities of high orders play the important role. Some bounds on the nonlinearities of high orders of Boolean functions via its algebraic immunity were obtained in recent papers. In this paper we improve these results and obtain new tight bounds. We prove new universal tight lower bound that reduces the problem of an estimation of high order nonlinearities to the problem of the finding of dimensions of some linear spaces of Boolean functions. As simple consequences we obtain all previously known bounds in this field. For polynomials with disjoint terms we reduce the finding of dimensions of linear spaces of Boolean functions mentioned above to a simple combinatorial analysis. Finally, we prove the tight lower bound on the nonlinearity of the second order via its algebraic immunity. Keywords. Stream cipher, nonlinear filter, algebraic attack, Boolean function, algebraic immunity, algebraic degree, nonlinearity, higher order nonlinearity, annihilator
Introduction Boolean functions have wide applications in cryptography, in particular, in symmetric cryptography. Stream ciphers use Boolean functions as nonlinear filters or nonlinear combiners, block ciphers use Boolean functions in S-boxes. Boolean functions have many cryptographically important characteristics. Good characteristics provide the resistance at least against known attacks. Among these characteristics the algebraic immunity and the nonlinearity of high orders play the important role. Recently, the significance of the algebraic immunity and the nonlinearities of high orders and their mutual relations were described in papers [1,2,3,4,5]. Boolean functions with good algebraic immunity and nonlinearities of high orders allow to resist against many types of known cryptographical attacks including algebraic, correlation and linear attacks. Some bounds between algebraic immunity and nonlinearities were obtained in [1, 2,3,4,5]. It appeared that the good algebraic immunity provides also some guaranteed nonlinearity of rth order. These results are important since recently it was proposed some 1 Mech. & Math. Department, mail: [email protected].
Lomonosov
University,
119992
Moscow,
Russia;
E-
M. Lobanov / Tight Bounds Between Algebraic Immunity and Nonlinearities of High Orders
297
algorithms for the calculation of algebraic immunity whereas the effective calculation or estimation of high order nonlinearities is not an easy problem. In [3] the tight lower bound on the nonlinearity (of the first order) of a Boolean function via the value of its algebraic immunity was obtained. The lower bounds on the nonlinearity of the rth order via its algebraic immunity were obtained in [1,2,4,5], the strongest among them is the bound (4). In this paper we propose the new approach that reduces the problem of an estimation of high order nonlinearities to the problem of the finding of dimensions of some linear spaces of Boolean functions. This result is given in our Theorem 1. This Theorem gives the new universal lower bound on the rth order nonlinearity of a Boolean function via its algebraic immunity. This bound is tight, i.e., for any possible set of parameters there exists a function that achieves this bound. We obtain all previously known bounds in this field as simple consequences of our Theorem 1. Next, for the functions of the special form—for the polynomials with disjoint terms—we prove the Theorem 2 that allows to reduce the finding of dimensions of some linear spaces of Boolean functions mentioned above to a simple combinatorial analysis. Using Theorem 2 we obtain in Theorem 3 the tight lower bound on the nonlinearity of the second order via its algebraic immunity. The bound is tight, i.e., for all possible pairs of algebraic immunity and the number of variables there exists a function that achieves this bound. The rest of the paper is organized as follows. In Section 1 we give the necessary definitions and some previously known results. In Section 2 we prove Theorem 1 with new universal tight lower bound that reduces the problem of an estimation of high order nonlinearities to the problem of the finding of dimensions of some linear spaces of Boolean functions. As simple consequences we obtain all previously known bounds in this field. In Section 3 for polynomials with disjoint terms we prove the Theorem 2 that allows to reduce the finding of dimensions of linear spaces of Boolean functions mentioned above to a simple combinatorial analysis. In Section 4 we prove in Theorem 3 the tight lower bound on the nonlinearity of the second order via its algebraic immunity.
1. Preliminaries Let f be a Boolean function on Fn2 . It is well known that f can be uniquely represented by a polynomial. An algebraic degree deg(f ) of f is the length of the longest term in the polynomial of f . A Boolean function g is called an annihilator of f if f · g ≡ 0. It is obvious that the set of all annihilators of f forms the linear subspace in the space of all Boolean function on Fn2 . An algebraic immunity AI(f ) of f is the minimum degree of a nonzero function g on Fn2 such that g is an annihilator of f or g is an annihilator of f + 1. It is known [6,7] that for any f on Fn2 the inequality AI(f ) ≤ ⌈n/2⌉ holds. The weight wt(x) of a vector x ∈ Fn2 is the number of ones in x. The distance between two Boolean functions f1 and f2 is defined as d(f1 , f2 ) = |{x ∈ Fn2 | f1 (x) = f2 (x)}|. The nonlinearity of rth order nlr (f ) of a Boolean function f over Fn2 is called the value minl:deg(l)≤r d(f, l). The nonlinearity nl(f ) of f is the distance between f and the set of affine functions, i.e., the nonlinearity of the first order. In [2] it was proved the result equivalent to the next bound on the nonlinearity of the rth order:
298
M. Lobanov / Tight Bounds Between Algebraic Immunity and Nonlinearities of High Orders
nlr (f ) ≥
n . i
AI(f )−r−1
i=0
(1)
Later in [3] it was proved the lower bound on the nonlinearity (r = 1) of a function via the value of its algebraic immunity:
nl(f ) ≥ 2
AI(f )−2
i=0
n−1 . i
(2)
For all possible values of algebraic immunity in [3] it were constructed functions that achieve equality in this bound. In [1] the bound (2) was generalized for the case of arbitrary r:
nlr (f ) ≥ 2
AI(f )−r−1
i=0
n−r . i
(3)
Note that the bound (1) does not follow the bound (3) and visa versa. In [5] and [4] it was proved the bound
nlr (f ) ≥
AI(f )−r−1
i=0
n + i
AI(f )−r−1
i=AI(f )−2r
n−r . i
(4)
that is better than both bounds (1) and (3).
2. The Problem Reduction to the Estimation of Linear Subspaces Dimensions Definition 1. Let h be a Boolean function on Fn2 . Denote by Ank (h) the linear subspace of all annihilators of degree at most k. Denote by dk,h the dimension of this subspace. Definition 2. Let C = {x1 , . . . , xn } be some set of vectors in Fn2 . For any given k, k ≤ n, and for any vector x = (x1 , . . . , xn ) ∈ Fn2 we correspond to x the uniform linear equation with the left side generated by the substitution of components of the vector x into the expression a0 +
n i=1
ai x i +
1≤i k and g does not belong to Bk (f ). The dimension of Cf,k is equal to |Sa1 ,...,aq (k)| that follows the conclusion of this proposition. Now we prove the converse inequality. Proposition 8. Suppose that any two terms in the polynomial form of f (x1 , . . . , xn ) do not contain joint variables. Let q be the number of terms in the polynomial kof f, and a1 ≥ a2 ≥ . . . ≥ aq are the lengths of these terms. Then dim(Bk (f )) ≥ i=0 ni − |Sa1 ,...,aq (k)|. Proof. Without loss of generality it is possible to assume that the function has the form f = x1 x2 · · · xa1 + xa1 +1 · · · xa1 +a2 + · · · + xa1 +...+aq−1 +1 · · · xa1 +...+aq . / Denote by Sa1 ,...,aq (k) the set of vectors x = (x1 , . . . , xn ), wt(x) ≤ k and x ∈ Sa1 ,...,aq (k). Suppose that x = (x1 , . . . , xn ) ∈ Sa1 ,...,aq (k). Then we map the vector x to the function fx by the next rules: 1. If deg xi1 xi2 · · · xiwt(x) f ≤ k where i1 , . . . , iwt(x) are the indexes of positions of ones in the vector x = (x1 , . . . , xn ) then fx = xi1 xi2 · · · xiwt(x) . 2. If x does not satisfy the first item and for any t ≤ q it holds 0 < st (x) ≤ ai then fx = xi1 · · · xis1 (k) + 1 . . . xis1 (k)+...+sq−1 (k) +1 · · · xis1 (k)+...+sq (k) + 1 ,
M. Lobanov / Tight Bounds Between Algebraic Immunity and Nonlinearities of High Orders
303
where i1 , . . . , is1 (k)+...+sq (k) are the indexes of positions of ones in the vector x = (x1 , . . . , xn ). 3. If x does not satisfy any of two previous items and st (x) = 0, 0 < si (x) < ai for all i < t, then fx = xi1 · · · xis1 (k) + 1 . . . xis1 (k)+...+sq−1 (k) +1 · · · xis1 (k)+...+sq (k) + 1 ,
where i1 , . . . , is1 (k)+...+sq (k) are the indexes of positions of ones in the vector x = (x1 , . . . , xn ). 4. If x does not satisfy any of three previous items then st (x) = 1 for some t ≤ q and si (k) = 0 for i = b1 , . . . , bu , where bh > t (0 < si (x) < ai for i < t and 0 < si (x) for i = t, b1 , . . . , bu ) then fx = xi1 . . . xis1 (k) + 1 xis1 (k)+1 . . . xis1 (k)+s2 (k) + 1 . . . × xis1 (k)+...+st−2 (k)+1 . . . xis1 (k)+...+st−1 (k) + 1 × xis1 (k)+...+st (k) +1 . . . xis1 (k)+...+st+1 (k) + 1 . . . × xis1 (k)+...+sq−1 (k) +1 . . . xis1 (k)+...+sq (k) + 1 × xa1 +...+at−1 +1 . . . xa1 +...+at + xa1 +...+a(b1 −1) +1 . . . xa1 +...+ab1 + . . . +xa1 +...+abu−1 +1 . . . xa1 +...+abu ,
where i1 , . . . , is1 (k)+...+sq (k) are the indexes of positions of ones in the vector x = (x1 , . . . , xn ). It is possible to check that the rule given above maps any vector x = (x1 , . . . , xn ) ∈ Sa1 ,...,aq (k) to the unique function fx . The polynomial of fx for any vector x described above contains the term that contains all variables which correspond to ones in the vector x; all other terms have smaller length or lexicographically greater. It follows the linear independence of all fx corresponded to vectors x = (x1 , . . . , xn ) ∈ Sa1 ,...,aq (k). Indeed, suppose that we have the vectors x1 , . . . , xh ∈ Sa1 ,...,aq (k), choose from them the vectors with the maximal weight , and among them the first vector in the lexicographical order. The term corresponded to this vector enters into the polynomial of fx1 + . . . + fxh , all other terms have smaller length or lexicographically greater. Therefore fx1 + . . . + fxh is not identically zero. Now show that for any x = (x1 , . . . , xn ) ∈ Sa1 ,...,aq (k) the corresponding function fx belongs to Bk (f ). If the vector x satisfies Item 1, the desired fact follows from the definition fx for such vectors. If x satisfies Item 2, then the product of f and fx is identically zero. If x satisfies Item 3, the product f and fx has the degree at most k, since in the opposite case x ∈ Sa1 ,...,aq (k). Suppose that x satisfies Item 4. Then we represent f as the sum of two functions f = f1 + f2 where f1 contains the terms of f
304
M. Lobanov / Tight Bounds Between Algebraic Immunity and Nonlinearities of High Orders
with ordinal numbers t, b1 , . . . , bu and f2 contains all remained terms. It is easy to check that the product of f2 and fx is identically zero, and the product of f1 and fx is equal to fx since f1 enters as the last factor in fx . Taking into account that deg(fx ) = wt(x), we deduce that for any x = (x1 , . . . , xn ) ∈ Sa1 ,...,aq (k) the corresponding fx belongs to Bk (f ). k Thus, dim(Bk (f )) ≥ Sa1 ,...,aq (k) = i=0 ni − |Sa1 ,...,aq (k)|. We combine Propositions 7 and 8 into the next theorem.
Theorem 2. Suppose that any two terms in the polynomial of the function f (x1 , . . . , xn ) do not contain joint variables. Let q be the number of terms in the polynomial of the function f , and a1 ≥ a2 ≥ . . . ≥ aq are the lenghts of these terms. Then dim(Bk (f )) = k n i=0 i − |Sa1 ,...,aq (k)|. Thus, for the quite wide class of functions we have reduced the problem of the calculation of dim(Bk (f )) to a simple combinatorial analysis.
4. Tight Bound between Algebraic Immunity and Nonlinearity of the Second Order Remark. Below we assume that the binomial coefficient less than 0.
n m
is equal to 0 if n or m are
Proposition 9. Suppose f (x1 , . . . , xn ) = x1 x2 + x3 x4 + · · · + x2q−1 x2q . Then k q−1 . dim(Bk (f )) = i=0 ni − i=0 2i n−2i−1 k−i
vectors of the weight k and n−2 Proof. The set Sa1 ,...,aq (k) contains n−2 k k−1 vectors of the weight k − 1 equal to zero in first two components. Summing, we obtain n−1 k vectors. n−4 The set Sa1 ,...,aq (k) contains 2 n−4 k−1 vectors of the weight k and 2 k−2 vectors of the weight k − 1 equal to zero in the second pair of components and equal to 1 in exactly one of the first two components. Summing, we obtain 2 n−3 k−1 vectors. t−1 n−2t t−1 n−2t The set Sa1 ,...,aq (k) contains 2 k−t+1 vectors of the weight k and 2 k−t vectors of the weight k − 1 equal to zero in the tth pair of components and equal to 1 in exactly two components for all previous pairs of variables. Summing, we obtain one of 2t−1 n−2t+1 k−t+1 vectors. Thus, we exhaust all vectors from Sa1 ,...,aq (k) and obtain that their number is equal to
q−1
n−5 n−3 n−1 q−1 n − 2q + 1 i n − 2i − 1 2 = . +. . .+2 +4 +2 k−q+1 k−i k−2 k−1 k i=0
Using Theorem 2 we obtain the conclusion of this proposition. The next proposition is analogous.
M. Lobanov / Tight Bounds Between Algebraic Immunity and Nonlinearities of High Orders
305
Proposition 10. Suppose f (x1 , . . . , xn ) = x1 x2 + x3 x4 + . . . + x2q−1 x2q + x2q+1 . k q . Then dim(Bk (f )) = i=0 ni − i=0 2i n−2i−1 k−i Theorem 3. Suppose that the function f (x1 , . . . , xn ) has the algebraic immunity AI(f ) = k ≤ ⌈n/2⌉. Then nl2 (f ) ≥
k−1
i=0
k−1 n − 2i − 1 n 2i . − k−1−i i i=0
Moreover, there exists the function f0 , AI(f0 ) = k, such that nl2 (f0 ) =
k−1
i=0
k−1 n − 2i − 1 n 2i . − k−1−i i i=0
Proof. It is well known (see, for example, [9]), that the function of degree at most 2 can be reduced by an affine transformation either to the form from Proposition 9 or to the form from Proposition 10. Then these propositions and Theorems 1 and 2 follow the conclusion of Theorem 3.
References [1] C. Carlet, On the higher order nonlinearities of algebraic immune functions, Proc. of CRYPTO’2006, Lecture Notes in Computer Science 4117 (2006), 584–601. [2] D.K. Dalai, K.C. Gupta, and S. Maitra, Results on Algebraic Immunity for Cryptographically Significant Boolean Functions, Proc. of Indocrypt’2004, Chennai, India, December 20-22, 2004, Lecture Notes in Computer Science 3348 (2004), 92–106. [3] M. Lobanov, Exact relation between nonlinearity and algebraic immunity, Discrete Mathematics and Applications 16(5) (2006), 453–460. [4] M. Lobanov, The bound on the nonlinearity of high orders of Boolean function via the value of its algebraic immunity, Proc. of 6th school of young researchers in discrete mathematics and its applications, Moscow, April 2007, Part 2, 11–16 (in Russian). [5] S. Mesnager, Improving the lower bound on the higher order nonlinearity of Boolean functions with prescribed algebraic immunity, Cryptology ePrint archive, Report 2007/117, http://eprint.iacr.org/. [6] N. Courtois and W. Meier, Algebraic attacks on stream ciphers with linear feedback, Proc. of EUROCRYPT’2003, Lecture Notes in Computer Science 2656 (2003), 345–359. [7] W. Meier, E. Pasalic, and C. Carlet, Algebraic attacks and decomposition of Boolean functions, Proc. of EUROCRYPT’2004, Lecture Notes in Computer Science 3027 (2004), 474–491. [8] A. Canteaut, Open problems related to algebraic attacks on stream ciphers, Proc. of the 2005 International Workshop on Coding and Cryptography (WCC’2005), Bergen, Norway, March 2005, 1–11. [9] F.J. McWilliams and N.J.A. Sloane, The Theory of Error Correcring Codes, New York, North-Holland, 1977.
306
M. Lobanov / Tight Bounds Between Algebraic Immunity and Nonlinearities of High Orders
Table 1. The lower bounds on nl2 (f ) given by our Theorem 3 and by bound (4) [5,4]. n
AI(f )
Bound of Theorem 3
Bound (4) [5,4]
>5 7 8
3 4 4
2 16 18
2 14 16
9 9
4 5
20 90
18 74
10 10
4 5
22 110
20 92
11
4
24
22
11 11
5 6
132 440
112 352
12 12 12
4 5 6
26 156 572
24 134 464
13 13
4 5
28 182
26 158
13 13
6 7
728 2004
598 1588
14 14 14 14
4 5 6 7
30 210 910 2732
28 184 756 2186
15 15
4 5
32 240
30 212
15 15 15
6 7 8
1120 3642 8768
940 2942 6946
16 16 16
4 5 6
34 272 1360
32 242 1152
16 16
7 8
4762 12410
3882 9888
17 17 17 17 17
4 5 6 7 8
36 306 1632 6122 17172
32 274 1394 5034 13770
17
9
37434
29786
18 18 18 18 18
4 5 6 7 8
38 342 1938 7754 23294
36 308 1668 6428 18804
18
9
54606
43556
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-307
307
On Implementation of One Type of Recursive Construction Sergey G. SHIPUNOV Lomonosov University, Moscow, Russia
Introduction One of the most usual constructions of stream ciphers consists of LFSR and a nonlinear filter. Boolean functions are usually used as a such nonlinear filter. Such functions should have some of the following properties: 1) 2) 3) 4)
high correlation immunity of order m; balancedness; high nonlinearity; fast implementation (at least software implementation).
Some recursive construction of such functions was proposed by Yu. Tarannikov in [1]. This construction is based on the definition of a proper matrix and on the theorem that provides the algorithm for the generation of a new set of functions from a set of functions and a proper matrix. As a result, functions constructed by the recursive implementation of Yu. Tarannikov’s construction have the following properties: 1) high correlation immunity of order m; 2) balancedness; 3) high nonlinearity, for some sequences of matrices it reaches the upper bound. In the general case it has an exponential complexity of a software implementation for an arbitrary sequence of matrices. In other words, on an input of a program we have an arbitrary sequence of matrices Bi , 1 ≤ i ≤ n, n ∈ N, and a Boolean vector X. We want using a computer program to calculate the value of some function constructed by means of Bi . If we try to calculate it according to the algorithm given in Yu. Tarannikov’s construction, then in the general case the complexity will be exponential. In this work the program implementation with a linear complexity is given.
1. Preliminary Definitions First we give some basic definitions. We define a vector space F2n as a space of vectors of length n with the components from F2 , the finite field of two elements 0 and 1. A
308
S.G. Shipunov / On Implementation of One Type of Recursive Construction
Boolean function f : F2n → F2 is a mapping from F2n to F2 .The weight of a Boolean function wt(f ) is the number of ones in its true table. The nonlinerity of a function f is nl(f ) = ming (wt(f ⊕ g)) where g is any affine function. A function f is a correlation immune function of order m if for any its subfunction f ′ from n − m variables wt(f ′ ) = wt(f )/2m . A function f is balanced if wt(f ) = wt(f ⊕ 1). A correlation immune function of order m is called m-resilent if it is balanced. In the following part we give definitions and the theorem which are used in the proof of the main Yu. Tarannikov’s theorem for the construction that we investigate. Definition 1. A Boolean function f = f (x1 , x2 , . . . , xn ) depends on a pair of variables (xi , xj ) quasilinearly, if f (X ′ ) = f (X ′′ ) for any vectors X ′ and X ′′ differ only in components i and j. In this case a pair (xi , xj ) is a pair of quasilinear variables. Yu. Tarannikov proved a theorem that any function depending on a pair of quasiliner variables could be represented in the special from. More precisely: Theorem 1 (Yu. Tarannikov). A pair (xi , xj ) is a pair of quasilinear variables in f = f (x1 , x2 , . . . , xn ) if and only if f can be represented in the following form: f = g(x1 , . . . , xj−1 , xj+1 , . . . , xi−1 , xi+1 , . . . , xn , xi ⊕ xj ) ⊕ xj . The following construction is the main part of the construction we want to implement. Construction 1. Let k be some integer and let f0 , . . . , f2k −1 be Boolean functions on F2n . Let σ1 , . . . , σk be the binary representation of r. Let C = (c1 , . . . , ck ) be any binary i=k vector. Denote s = i=1 ci . Let X = {xi | i = 1, . . . , n},
Y = {yi | i = 1, . . . , k},
Z = {zi | i = 1, . . . , k}
are the sets of variables. Denote F (X, Y, Z) =
k j=2 %−1
j=1
fσ1 ,...,σk (X)(y1 ⊕ c1 z1 ⊕ σ1 ) . . . (yk ⊕ ck zk ) ⊕ c1 z1 ⊕ · · · ⊕ ck zk .
Also the definition of a proper matrix is needed. It is the following: Definition 2. A matrix Bk0 ,k,p,t = bij of the size 2k × p with elements from the set (∗, 1, 2), is called a proper matrix, if
S.G. Shipunov / On Implementation of One Type of Recursive Construction
309
1) for any pair of rows i1 , i2 there exists the column j, such that bi1 ,j = 1, bi2 ,j = 2 or bi1 ,j = 2, bi2 ,j = 1; 2) the sum of all elements in any row is less or equal than t, in this sum ∗ counts as 0; 3) the number of ones in any row is less or equal than k0 . In Example 1 some proper matrices are given. Example 1. ⎞ ∗ ∗∗222 ⎜ 2 1 ∗ 2 1 ∗⎟ ⎟ ⎜ ⎜ 2 1 ∗ ∗ 2 1⎟ ⎟ ⎜ ⎜ 2 1 ∗ 1 ∗ 2⎟ ⎟ ⎜ ⎜ ∗ 2 1 2 1 ∗⎟ ⎟ ⎜ ⎜ ∗ 2 1 ∗ 2 1⎟ ⎟ ⎜ ⎜ ∗ 2 1 1 ∗ 2⎟ ⎟ ⎜ ⎜ 1 ∗ 2 2 1 ∗⎟ ⎟. ⎜ =⎜ ⎟ ⎜∗1 ∗ 2 ∗ 2 1⎟ ⎜ 1 ∗ 2 1 ∗ 2⎟ ⎟ ⎜ ⎜ 2 1 ∗ 1 1 1⎟ ⎟ ⎜ ⎜ ∗ 2 1 1 1 1⎟ ⎟ ⎜ ⎜∗1 ∗ 2 1 1 1⎟ ⎟ ⎜ ⎜ 1 1 1 2 1 ∗⎟ ⎟ ⎜ ⎝ 1 1 1 ∗ 2 1⎠ 1 111∗2 ⎛
B1,1,2,3 =
21 , 12
B3,3,4,5
⎞ ⎛ ∗122 ⎜2 ∗ 1 2⎟ ⎟ ⎜ ⎜2 2 ∗ 1⎟ ⎟ ⎜ ⎜1 2 2 ∗⎟ ⎟, ⎜ =⎜ ⎟ ⎜2 1 1 1⎟ ⎜1 2 1 1⎟ ⎟ ⎜ ⎝1 1 2 1⎠ 1112
B4,4,6,6
Definition 3. Let Sn,m,k be a set of Boolean functions, such as for any s, 0 ≤ s ≤ k, the set Sn,m,k contains an (m + s)-resilent function on F2n+s , which has s disjoint pairs of quasylinear variables. According to previous definitions the main theorem for the construction that we want to implement has the following formulation: Theorem 2 (Yu. Tarannikov). If 2p−t ≤ n,then it is possible to construct Sn+k+t,m+t,k0 with the use of a set of functions Sn,m,k0 and a matrix Bk0 ,k,p,t . We need the constructive part of the proof. We divide the proof into 3 steps. 1. For every i ≤ 2k we act by the following way. Suppose, that the number of ones in the row i is s. Then we take from Sn,m,k0 an (m + s)-resilent function with s pairs of disjoint quasilinear variables and add t − s linear variables to it. Then denote the result by fi′ . 2. We rename variables in fi′ according to the matrix Bk0 ,k,p,t . If in the row i at the place j it is 1 then in the resulting function we appoint (x2j−1 , x2j ) to be a pair of quasilinear variables . If in the row i at the place j it is 2 then in resulting function we appoint (x2j−1 , x2j ) to be a pair of linear variables. As a result we get fi′′ . 3. At last we imply Construction 1 to fi′′ for all C, 0 ≤ wt(C) ≤ k and get the resulting system Sn+k+t,m+t,k0 .
310
S.G. Shipunov / On Implementation of One Type of Recursive Construction
Let Bk0i ,ki ,pi ,ti , 0 ≤ i ≤ N , be a set of matrices with the restriction k0i = k i−1 . N N N We want to calculate a function from Sn+ N i (which is a i i i i=1 k + i=1 t ,m+ i=1 t , i=1 k0 result of a recursive using of Bk0i ,ki ,pi ,ti on Sn,m,k0 ) Depending on parameters, we divide matrices into two groups: 1. 2pi ≤ ti−1 + k i . Then we have enough variables added on Step 1 and previous Step 3 to use in the renaming in Step 2. So we could easily implement such functions with a linear complexity. 2. 2pi > ti−1 +k i . Then we have not enough variables added on Step 1 and previous Step 3 to use in the renaming in Step 2. So we have to use in the renaming some variables from previous steps. As a result we have to implement previous Step 2 for each function of current Step 2. Here we have an exponential complexity. Example 2. B3,3,4,5 is in the first group,B4,4,6,6 is in the second group. ⎞ ∗ ∗∗222 ⎜ 2 1 ∗ 2 1 ∗⎟ ⎟ ⎜ ⎜ 2 1 ∗ ∗ 2 1⎟ ⎟ ⎜ ⎜ 2 1 ∗ 1 ∗ 2⎟ ⎟ ⎜ ⎜ ∗ 2 1 2 1 ∗⎟ ⎟ ⎜ ⎜ ∗ 2 1 ∗ 2 1⎟ ⎟ ⎜ ⎜ ∗ 2 1 1 ∗ 2⎟ ⎟ ⎜ ⎜ 1 ∗ 2 2 1 ∗⎟ ⎟. ⎜ =⎜ ⎟ ⎜∗1 ∗ 2 ∗ 2 1⎟ ⎜ 1 ∗ 2 1 ∗ 2⎟ ⎟ ⎜ ⎜ 2 1 ∗ 1 1 1⎟ ⎟ ⎜ ⎜ ∗ 2 1 1 1 1⎟ ⎟ ⎜ ⎜∗1 ∗ 2 1 1 1⎟ ⎟ ⎜ ⎜ 1 1 1 2 1 ∗⎟ ⎟ ⎜ ⎝ 1 1 1 ∗ 2 1⎠ 1 111∗2 ⎛
B3,3,4,5
⎞ ⎛ ∗122 ⎜2 ∗ 1 2⎟ ⎟ ⎜ ⎜2 2 ∗ 1⎟ ⎟ ⎜ ⎜1 2 2 ∗⎟ ⎟, ⎜ =⎜ ⎟ ⎜2 1 1 1⎟ ⎜1 2 1 1⎟ ⎟ ⎜ ⎝1 1 2 1⎠ 1112
B4,4,6,6
2. Algorithm There are 3 main ideas which allow the linear implementation of the construction in the general case. They are following:
1. To reverse the construction. The nonlinear part of the construction is concentrated in
F (X, Y, Z) =
k j=2 %−1
j=1
fσ1 ,...,σk (X)(y1 ⊕ c1 z1 ⊕ σ1 ) . . .
× (yk ⊕ ck zk ⊕ σk ) ⊕ c1 z1 ⊕ · · · ⊕ ck zk .
311
S.G. Shipunov / On Implementation of One Type of Recursive Construction
If we know Y, Z, C then we could easily find the previous function fσ1 ,...,σk (X). More precisely, σi = yi ⊕ ci zi ⊕ 1. To implement this idea we need the operator if, so we can discuss only a software implementation. 2. To calculate only one function on each step, more precisely to calculate only: • the linear part: the sum of ci zi and the sum of the linear variables in the next Step 1; • the index of the previous function σ1 , . . . , σk in Step 3 and s in Step 1. 3. To find some quite fast renaming for Step 2. Let Bk0i ,ki ,pi ,ti , 0 ≤ i ≤ N, be any sequence of matrices with the restriction k0n ≤ k n−1 , and let Sn,m,k00 be a random system of functions. Since here we are interested only in an implementation, we need only the restriction that for any 0 ≤ s ≤ k0 there exists a function with s pairs of disjoint variables in Sn,m,k00 . Let i=N i i=N i Sn+ i=1 i N k + i=1 t ,m+ i=N i=1 t ,k
be a system constructed with the using of Bk0i ,ki ,pi ,ti , 0 ≤ i ≤ N . We fix sN , 0 ≤ sN ≤ kN . At first, we reverse the Step 3. On this step of main theorem for Bk0N ,kN ,pN ,tN and Sn+ i=N −1 ki + i=N −1 ti ,m+ i=N −1 ti ,kn i=1
we have fsN (X, Y, Z) =
%
σ1 ,...,σkN
i=1
i=1
fσ′′1 ,...,σk (X) y1N ⊕ z1N ⊕ σ1 . . . N
i=s % N × ysN ⊕ zsN ⊕ σs ys+1 ⊕ σs+1 . . . ykNN ⊕ σkNN ⊕ ziN . i=1
For any fixed Y, Z only one of N N y1 ⊕ z1N ⊕ σ1 . . . ysN ⊕ zsN ⊕ σs ys+1 ⊕ σs+1 . . . ykNN ⊕ σkNN
is not equal to 0, so it defines the index σ1 , . . . , σkN of fσ′′1 ,...,σk . More precisely, N
N ⊕ 1, . . . , σkN = ykNN ⊕ 1. σ1 = y1N ⊕ z1N ⊕ 1, . . . , σs = ysN ⊕ zsN ⊕ 1, σs+1 = ys+1
Moreover, this index is the number of rows in Bk0N ,kN ,pN ,tN according to which the renaming was made.
312
S.G. Shipunov / On Implementation of One Type of Recursive Construction
Also the sum of the linear variables is easily calculated: LN =
i=s %
ziN .
i=1
During this step we need O k operations for the calculating σ1 , . . . , σkN and O k N operations for the calculating of LN . So, the overall complexity of this step is O k N operations. At second, we reverse the Step 2. Suppose that in the row i in Bk0N ,kN ,pN ,tN there L L are also s 1’s, then there are tN − s 2 2’s and pN − tN + s 2 ∗’s in this row. We define the renaming by the following way:
N
1. Suppose that 2 is at place j in row i and before it there are r2 2’s. In the Step1 N there were added tN − s linear variables, we denote them by uN 1 , . . . , utN −s . Now we rename N N N u2r2 −1 , uN 2r2 into x2j−1 , x2j .
Example 3. For a row of B4,4,6,6
row 2 1 ∗ 2 1 ∗ ... N N N N set of variables u1 , u2 u3 , u 4 N N N N N N N N N N N N renamed set xN , x x , x x , x 1 2 3 4 5 6 x7 , x8 x9 , x10 x11 , x12 x13 . . . 2. Suppose that 1 is at place j in the row i and there are r1 1’s before it. In Step 3 for BkN −1 ,kN −1 ,pN −1 ,tN −1 0
and Sn+ i=N −2 ki + i=N −2 ti ,m+ i=N −2 ti ,kN −2 i=1
i=1
i=1
there s variables z and k N −1 variables y were added. We denote them by N −1 −1 . z1 , . . . , zsN −1 and y1N −1 , . . . , uN N −1 y
Among them, ziN −1 , yiN −1 , 0 ≤ i ≤ s, are the pairs of quasilinear variables. We rename N −1 N −1 N into xN yr1 , zr1 2j−1 , x2j .
Example 4. For a row of B4,4,6,6
row of matrix 2 1 ∗ 2 1 ∗ ... N N −1 N −1 N N N −1 N −1 , z , z set of variables uN , u y u , u y 1 2 3 4 1 2 1 2 N N N N N N N N renamed set xN xN xN xN xN 1 , x2 3 , x4 5 , x6 x7 , x8 9 , x10 11 , x12 x13 . . .
S.G. Shipunov / On Implementation of One Type of Recursive Construction
313
3. At we make any fixed renaming of remaining variables. So, variables Nlast, −1 , . . . , ykNN−1 ys+1 −1 , which were not included in pairs of quasilinear variables, N are renamed into xN i1 , . . . , xskN −1 −s . The complexity of the renaming mostly depends on this substep. As a quite fast variant of such a renaming we use following: L F E • We add max 0, tN + k N −1 − 2pN 2 ∗’s to the end of row.
∗ MSuppose at place j and there are r3 ∗’s before it in the row and r3 ≤ N N −1 ∗ isL N −1 N −1 N k − s 2 then we rename ys+2j−1 , ys+2j into xN 2j−1 , x2j . ∗ Suppose there areLr3 F∗’s before it in the row and E N M N −1 * isLat Nplace j and N −1 − s 2 < r3 ≤ k −1 − s 2 then we rename ys+2j−1 into k xN . 2j−1 ∗ Suppose at place j and there are r3 ∗’s before it in the row and r3 > F E N −1 ∗ isL k − s 2 then we do nothing.
−1 • At last we rename remaining variables xN into xN i tN +kN −1 .
Example 5. For a row of B3,3,4,5 row of matrix 2 2 1 ∗ ... N N N N −1 N −1 N −1 N −1 N −1 set of variables uN , u u , u y , z y , y x ... 1 2 3 4 1 1 2 3 1 N N N N N N N N N renamed set x1 , x2 x3 , x4 x5 , x6 x7 , x8 x9 . . . Example 6. For a row of B4,4,6,6 row of matrix 2 1 ∗ 2 1 ∗ ... N −1 N −1 N −1 N −1 N N −1 N −1 N −1 N N −1 N N −1 set of variables uN , u y x u , u y x x , z , x , z , x 1 2 3 4 1 1 2 3 5 1 2 2 4 N N N N N N renamed set xN xN xN xN xN xN xN 1 , x2 3 , x4 5 , x6 7 , x8 9 , x10 11 , x12 13 . . .
So, the renaming of variables is just the replacing N U = uN 1 , . . . , utN −s ,
Z = z1N −1 , . . . , zsN −1 ,
Y = y1N −1 , . . . , ykNN−1 −1
with some variables from X according to Bk0N ,kN ,pN ,tN . Some variant of such renaming N N −1 , Z N −1 . And the is given above. From it we easily s and values of U , Y N calculate N −1 N variables is nontrivial. The renaming of renaming of only first max 2p , t + k0 N N others is just a shift of their indexes at max 2p , t + k0N −1 . It means that we need only to know the shift,but not to rename all of them during the step. So, the complexity of this step is O max 2pN , tN + k0N −1 . At last, we reverse the Step 1. From the Step 2 we have N U = uN 1 , . . . , utN −s .
We add them to LN .The complexity is O tN − s . Now we can reverse Step 3 for N − 1.
314
S.G. Shipunov / On Implementation of One Type of Recursive Construction
3. Result i=N i i=N i N with We replace the calculation of a function from Sn+ i=N i i=1 k + i=1 t ,m+ i=1 t ,k the calculation of function from
Sn+ i=N −1 ki + i=N −1 ti ,m+ i=N −1 ti ,kN −1 i=1
i=1
i=1
and calculation of the linear part LN . As a result we have the following complexity for the algorithm: O tN + O max(2pN , tN + k0N −1 + O k N = O(number of all variables). N
As a result, Yu. Tarannikov’s recursive construction provides high correlation immunity of order m, balancedness, high nonlinearity( for some sequences of matrices it reaches the upper bound) and linear complexity of the program implementation. It makes this construction quite good for the practical using in stream ciphers.
References [1] Yu. Tarannikov, New constructions of resilient Boolean functions with maximal nonlinearity, Proc. of 8th Fast Software Encryption Workshop (FSE 2001), Yokohama, Japan, April 2–4, 2001, Revised Papers, Lecture Notes in Computer Science 2355 (2002), Springer-Verlag, 66–77.
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-315
315
On Impossibility of Uniform Distribution of Codewords over Spheres1 Maria YARYKINA Lomonosov University, Moscow, Russia
Introduction The binary codes with codewords uniformly distributed over subcubes, their characteristic Boolean functions and arrays with codewords written in rows are studied in the case of: • • • •
codes with a high dual distance; correlation-immune Boolean functions; resilient Boolean functions; orthogonal arrays and so on.
Such structures are important in: • statistics to design an experiment; • cryptology to hide a secret; • to generate pseudorandom sequences. The uniform distribution of codewords over spheres was not studied extensively before the paper [1]. However, codes with such codeword distribution seem to be helpful in many applications, for example, when the code plays a role of a hash-like function or when we want to have for all possible words at the output of the channel approximately equal numbers of proper decodings. It is implemented as a combiner in stream ciphers, the characteristic Boolean functions of such codes must have a good resistance against the statistical attacks when an opponent has a possibility to change some (restricted) number of inputs of the function. Yu. Tarannikov [1] studied the codes with codewords uniformly distributed with degree 1 over spheres and described such codes including their enumeration for each n. In papers [2,3,4] the codes with codewords uniformly distributed with degree l over spheres were studied. Non-existence of such codes for some ranges of cardinality was 1 This work was partially supported by the Russian Foundation for Basic Research (grant no. 05-01-00994), by program “Leading scientific schools” (grant no. 5400.2006.1), and by program for Basic Research of mathematical department of RAS “Algebraic and combinatorial methods of mathematical cybernetics”.
316
M. Yarykina / On Impossibility of Uniform Distribution of Codewords over Spheres
proved. In [2,3,4] codes of small cardinality and partially codes of large cardinality were considered. In the present paper we introduce the general concept of the UDS-codes, uniformly distributed over spheres, and prove nonexistence results on UDS codes for almost all cases for any positive integer l. Some Background and Definitions Let V n be an n-dimentional vector space over GF (2) (Boolean cube of dimension n). A set of vectors C ⊆ V n is said to be a (binary) code, any x ∈ C is a codeword, m = |C| (the number of codewords in C) is a cardinality, C = V n \ C is a complementary code for C. A shortened code of C is generated by a cancellation of some components in all codewords of C. (Hamming) distance d(x, y) is the number of components where vectors x and y are different. Sr (x) = {y ∈ C | d(x, y) ≤ r} is a sphere. wt(Sr (x), C) = |Sr (x) ∩ C| is the weight of the sphere. Definition 1. Let l be a nonnegative integer. We say that a code C ⊆ V n is an l-UDS code (uniformly distributed over spheres) if for each r we have max{wt(Sr (x), C)} − min{wt((Sr (x), C)} ≤ l. x
x
Definition 2 (Generalization). Let l and ri be nonnegative integers, all ri are different, i = 1, . . . , h. We say that a code C ⊆ V n is an UDS(l; r1 , . . . , rh )-code (uniformly distributed over spheres) if for each i = 1, . . . , h max{wt(Sri (x), C)} − min{wt((Sri (x), C)} ≤ l. x
x
Obviously, wt(Sri (x), C) = |C| − wt(Sn−ri −1 (x), C), where x is the vector opposite to x. It follows that if C is an UDS(l; r)-code then C is also an UDS(l; n − r − 1)code. Therefore, it is sufficient to consider only the radii which are not greater than ⌊n/2⌋. If a code C is an UDS(l; r1 , . . . , rh )-code then the complementary code C is also an UDS(l; r1 , . . . , rh )-code. Therefore, it is sufficient to consider only codes C of cardinality |C| ≤ 2n−1 . Preliminaries It is easy to see that the perfect code with the code distance 3 (for example, the Hamming code) is an UDS(0, 1)-code. Any code of odd length n that contains with each codeword x also its opposite x, is an UDS(0, (n − 1)/2)-code. The linear code of odd length n given by the parity-check matrix (1, 1, . . . , 1 0, 0, . . . , 0) ) *+ , ) *+ , (n+1)/2
(n−1)/2
is an UDS(0, 1)-code. Obviously, 0-UDS codes are C = ∅ and C = V n only. All 1-UDS codes were described in [1] in terminology of Boolean functions. In particular, the following theorems were established.
M. Yarykina / On Impossibility of Uniform Distribution of Codewords over Spheres
317
small cardinality medium cardinality large cardinality ✛ ✛ ✛ ✘ ✘ ✘ ✎ ☞ q q✲ q q q q q ❆❑ n 2n ❆ 2n−1 2n 2n 2l + 1 8nl o √ne 4l+1 λ ns k0 (l) n 2n ❆ i=0 ( i ) n0 is estimated Figure 1.
Theorem 1 ([1]). Let C be a code in V n , |C| ≤ 2n−1 . If C is an 1-UDS code then at least one of the following 3 cases holds: 1) |C| ≤ 2; 2) n ≤ 4; 3) n = 6, |C| = 4. Theorem 2 ([1]). The number of 1-UDS codes in V n is equal to ⎧ n 22 ⎪ ⎪ ⎪ ⎪ ⎪ 80 ⎪ ⎪ ⎪ ⎨334 ⎪ 2818 ⎪ ⎪ ⎪ ⎪ ⎪ 3 · 2n + 2 ⎪ ⎪ ⎩ (n + 3)2n + 2
for n ≤ 2, for n = 3, for n = 4, for n = 6, for n ≥ 5, n odd, for n ≥ 8, n even.
The next question appears by the natural way: Does for any l > 0 there exist minimal n0 = n0 (l) such that for n ≥ n0 there do not exist l-UDS codes in V n of cardinality m, 2l < m < 2n − 2l? In [1] it is proved that n0 (1) = 7, 2 < m < 2n − 2. In the present paper we prove that for the fixed positive integer l there exists the positive integer n0 (l) such that for all n ≥ n0 (l) there do not exist l-UDS codes in V n of cardinality m where 2l + 1 ≤ m ≤ 2n−1 . The actual value of n0 (l) remains an open problem. For the proof of this result we consider three cases: codes of small cardinality, codes of medium cardinality and codes of large cardinality (see Figure 1).
1. The Codes of Small Cardinality In this section we consider the codes of cardinality satisfyied to the expressions m ≥ 2l + 1,
m=o
√
nen/4
l+1
.
Theorem 3 (The codes of small cardinality). Let l be a positive integer and m = m(n) ≥ 2l + 1. Then l-UDS codes in V n of cardinality m do not exist beginning with some sufficiently large n for √
m → 0 or nen/4l+1
m=o
√ l+1 . nen/4
318
M. Yarykina / On Impossibility of Uniform Distribution of Codewords over Spheres
as n → ∞. For the proof of Theorem 3 we use the following lemma. Lemma 1. Let α = α(n) < 1/2. Then
⌈αn⌉ 1 1−α 1 1 n · ≤ 1+O ; 2n i=0 i (1 − 2α)2 n n ⌈αn⌉ 1 n ≤ 2n i=0 i
O
1−α 1 1 √ 2πα 1 − 2α ne((1−2α)2 /2+O((1−2α)4 ))n
1+O
1 . (1) n
Proof of Theorem 3. To prove the theorem we demonstrate that for an arbitrary code C in V n there exists a sphere of radius R with weight 0 and a sphere of radius R with weight at least l + 1 beginning with some sufficiently large n. Let R = α(n)n where α(n) < 1/2 for all n. The average weight of spheres of radius R for code C is R 1 n . PR (C) = n m i 2 i=0
Let’s construct the subcode C ′ ⊂ C by choosing (l + 1) codewords of the code C which are congruent in aggregate in the maximum number of components t and consider the matrix A = A(C), whose rows are the codewords of the code C. By combinatorial properties we find 2n m/2 l+1 t≥ m . l+1
After the removing the identical components, we obtain a shortened code C ′ ⊆ V n−t of cardinality (l + 1). The average weight of spheres of radius R for the code C ′ is ′
PR (C ) =
1 2n−t
(l + 1)
R
n−t i=0
i
l+1 = (l + 1) − n−t 2
n−t−R−1
i=0
n−t . i
The value R must satisfy the next relations: PR (C ′ ) → l + 1 =⇒ R >
1 (n − t), 2
PR (C) → 0 =⇒ R
l+1 · · 1 × 1+ 1− m(m − 2(l + 1)) m−l−1 2 2
= β = l+1 m
with some sufficiently large n for each constant l. Therefore, by inequality (1) of Lemma 1 and by condition of the theorem ⌈αn⌉ n 1 PR (C) = n m(n) ≤ i 2 i=0
< c0 · 2l+2 · √
O
1 1−α 1 · · √ (β 2 /2+O(β 4 ))n 2πα β ne
m(n) m(n) ′ →0 2l+3 = c √ n/2 ne nen/22l+3
1+O
1 n
(n → ∞).
So, a sphere of radius R with weight 0 exists beginning with some sufficiently large n. Furthermore, l+1 PR (C ) = (l + 1) − n−t 2 ′
= (l + 1) − c′ √
n−t−R−1
i=0
(l + 1)m(n) n−t > (l + 1) − c0 · 2l+1 · √ n/22l+3 i ne
m(n) →l+1 nen/22l+3
(n → ∞).
As a result, the sphere of radius R with weight at least l + 1 exists beginning with some sufficiently large n.
2. The Codes of Medium Cardinality This case is the most trouble for the proof. The properties of Reed–Muller’s codes, the properties of sums of binomial coefficients and the properties of a mutual placement of spheres of different radii in Boolean cube are used for the proof of this theorem. In this section we consider the codes of cardinalities satisfying 2n 8nl ≤ m ≤ k (l) n . 0 i=0
i
320
M. Yarykina / On Impossibility of Uniform Distribution of Codewords over Spheres
Lemma 2. Suppose that all spheres of radius k have weights not more than l0 . Moreover, there is the sphere of radius r (r ≤ k) with the center γ0 and weight l0 . Then the sphere of radius 2k − r with the center γ0 has the weight exactly l0 . Lemma 3 (transfer from a sphere of radius k to a sphere of radius αk). Suppose that all spheresM of radius k have N weights not more than l. Then there is at least one sphere of radius 2l k/(2l − 1) with weight no more than l. Lemma 4 (The inequality for sums of binomial coefficients). Let l be fixed E F positive l l l integer. Then there is k0 , k0 ≥ k0 (k0 = k0 (l) = (2 −1) 2 · 2 + 2 log2 l − 2 , depends on l only), so that for k > k0 , n ≥ 2k · 2l /(2l − 1) + 2l + 2 the next inequality holds: l −1) ⌊2l k/(2 k+1 n ⌋ n . > 2l i i i=0 i=0
(2)
Remark 1. For l = 2 we have k0 = 52. Lemma 5 (The covering of Boolean cube). Boolean cube of dimension n can be covered by (at most) 4n spheres of radius R = n/2 − 2l − 1 beginning with some sufficiently large n. Proof. At first we prove lemma in case of n = 2t . It is well known that for each of these n the Reed–Muller’s code of first order exists (this code corresponds to the set of all linear functions). The cardinality of the Reed–Muller’s code in V n is 2n. According to the properties of Reed–Muller’s code [5, Ch. 14], the distance from any point in a Boolean cube to Reed–Muller’s code is at √ most n/2 − n/2. Let’s consider the set of the spheres of radius R with the centers √ in codewords of Reed–Muller’s code. For R ≥ n/2 − n/2 this set of spheres covers the whole Boolean cube. Clearly, for n ≥ 22l+2 + 4 · 2l+1 + 4 the inequality √ R = n/2 − 2l − 1 ≥ n/2 − n/2 holds. The lemma is proved for n = 2t . Now we prove lemma for arbitrary n. Consider n1 = 2t < n < n2 = 2t+1 . The Reed–Muller’s code C1 of cardinality 2n1 exists for n1 . We correspond the matrix A′ to the code C1 . Each row of A′ is the coordinate notation of a codeword of C1 . So, the matrix A′ has 2n1 rows and n1 columns. In a similar manner, the matrix A′′ is constructed for n2 . Note that the matrix A′′ is obtained from the matrix A′ by ′′
A =
A ′ A′ , A′ A′
where A′ is obtained from A′ by replacing zeros by ones and ones by zeros. Let’s consider the code Cn , corresponded to the matrix An which consists of the first n columns of the matrix A′′ . We prove that the set of the spheres of radius R(n) with the center in codewords of Cn covers the whole Boolean cube. For any point α = (α1 α2 ) of a Boolean cube where α1 is the length of n1 , α2 is the length of n − n1 , the codeword γ ∈ Cn such that
M. Yarykina / On Impossibility of Uniform Distribution of Codewords over Spheres
d(α, γ) ≤
n − 2
321
√
n1 2
exists. √ At first we get the codeword γ1 ∈ C1 such that d(α1 , γ1 ) ≤ n1 /2 − n1 /2. It exists due to the properties of Reed–Muller’s code of the first order. The matrix An contains two rows which are beginning with γ1 . They are the rows (γ1 γn ) and (γ1 γ n ), where γn has the length n−n1 , γ n is the binary vector obtained from the binary vector γn by replacing of zeros by ones and ones by zeros. Therefore, the smallest from the distances d(α2 , γn ) and d(α2 , γ n ) is not greater than (n − n1 )/2. The desired codeword γ corresponds to the smallest distance. Indeed, d(α, γ) = d(α1 , γ1 ) + min{d(α2 , γn ), d(α2 , γ n )} √ √ n1 n1 n − n1 n n n1 − + ≤ − ≤ − 2l − 1. ≤ 2 2 2 2 2 2 So, the set of the spheres of radius Rn with the centers in codewords Cn really covers the whole Boolean cube. The cardinality of Cn is 2n2 , hence, 2n2 = 4n1 < 4n. Theorem 4 (The codes of medium cardinality). Let l be a fixed positive integer. Then there is some k0 (l) such that beginning with some sufficiently large n there is not a lUDS-code in V n of cardinality m, satisfied to the inequality 2n 8nl < m < k (l) n . 0 i=0
i
Proof. Suppose that the l-UDS code of cardinality m exists in the Boolean cube of dik0 n , that there is mension n. It follows from the condition of theorem, m < 2n / i=0 i a sphere of radius k = k0 with weight 0. We have estimated in the induction step that there is a sphere of radius k + 1 with weight 0. Induction base: k = k0 . Induction step: If there is the sphere Mof radius k =N k0 with weight 0, then, by Lemma 3, there is a sphere of radius R ≥ 2l k/(2l − 1) with weight no more than l. Any sphere of radius R has a weight no more than 2l because C is the l-UDS code. Further we consider two cases. If n < 2k · 2l /(2l − 1) + 2l + 2, then by Lemma 5 the whole Boolean cube can be covered by 4n spheres of radius R. One of these spheres has the weight no more than l, weights of other spheres are no more than 2l. So, the cardinality of the code is no more than l + 2l(4n − 1), that contradicts to conditions of the theorem. If n ≥ 2k · 2l /(2l − 1) + 2l + 2, then by Lemma 4 the average weight of spheres of radius k + 1 is less than 1/2l of the average weight (denoting P2l k/(2l −1) ) of spheres of radius 2l k/(2l − 1). Thus, Pk+1
1 is a positive number, s is a natural number): 2n ul2 · ≤ m(n) ≤ 2n−1 , s = 1, 4 n+1 n 2n ul2 2n · s n ≤ m(n) ≤ 2 + cs s n , s = 2, 3, . . . , k0 (l) + 1, 4 s i=0 i i=0 i
and the second set:
2n ul2 2n n n , · + c ≤ m(n) ≤ s+1 s s+1 n (s + 1)2 4 i=0 i i=0
s = 1, 2, . . . , k0 (l) + 1,
i
where k0 (l) is an integer from Theorem 4 (medium cardinality). We prove in Theorem 5 non-existence of codes from the first set of cardinalities and in Theorem 6 non-existence of codes from the second set of cardinalities. Theorem 5 (The codes of large cardinality, case 1). Let l ∈ N, s ∈ N, u > 1. Let cs be some constant (one per each s). Then beginning with some sufficiently large n for m such that n 2n ul2 2n s n ≤ m ≤ 2 + cs s n , for s ≥ 2, 4 s i=0 i i=0 i ul2 2n · ≤ m ≤ 2n−1 , 4 n+1
for s = 1.
there does not exist an l-USD code in V n of cardinality m. In addition, if s = 1, there does not exist an l-USD code in V n of cardinality m for 2n ul2 · ≤ m ≤ 2n−1 4 n+1 beginning with any n satisfied the inequality n>
u u−1
3l + 1 +
ul2 4
Remark 2. For any s we use l-UDS on r ≤ 2s.
,
n ≥ 6l + 3 +
ul2 . 2
M. Yarykina / On Impossibility of Uniform Distribution of Codewords over Spheres
323
Remark 3. The codes of cardinality m satisfied the inequality for s = 1 are almost all binary codes of dimension n. This case also includes the balanced codes. For the proof of Theorem 5 we use the following lemma. Lemma 6. Let s be a positive integer and n ≥ 2s. Then
• each pair of codewords at the distance 2s or 2s − 1 is contained in 2s s spheres of radius s; • each pair of codewords at the distance 2s − 2 or 2s − 3 is contained in 2s−2 s−1 · n spheres of radius s; • each at the distance 2s − 2t or 2s − (2t + 1) is contained in t of codewords 2s−2tpair t−1 n + O(n ) = O(nt ) spheres of radius s (t ≥ 2). s−t
Proof of Theorem 5. Let C be an l-UDS code of cardinality m, Ps is an average weight of spheres of radius s. We define N as the number of pairs (x, y), x, y ∈ C, x = y, such that d(x, y) ≤ 2s. We evaluate N by two different ways. First way. Let’s find the lower estimation for N . For each codeword α of C we consider the sphere S2s (α) of radius 2s with the center α. It contains all points of a Boolean cube at distance at most 2s from the codeword. The weight of S2s (α) is at least (⌈P2s ⌉−l), since C is an l-UDS code. Hence, the number of pairs described above which contain the codeword α, is at least (⌈P2s ⌉ − l). Similarly, we consider all codewords of C. So, each pair (α1 , α2 ) is counted twice: as the pair containing α1 and as the pair containing α2 . Because the cardinality of C is m and the number of pairs containing each codeword is at least (⌈P2s ⌉−l), then the doubled number of pairs 2N satisfies inequality: 2N ≥ m · (⌊P2s ⌋ − l) ≥ m
2s m n · −l . 2n i=0 i
(3)
Second way. Let’s find the upper estimation for N . Let h be the minimum weight of a sphere of radius s, then the maximum weight of a sphere of radius s is not more than h + l. Let also ti , i = 0, . . . , l be the numbers of spheres of weight h + i. Then the values l i=0
ti = 2n ,
l i=0
ti (h + i) = m ·
s n i=0
i
are the number of all spheres of radius s in a Boolean cube of dimension n and the sum of weights of all spheres of radius s in a Boolean cube of dimension n, respectively. Each pair of codewords at a distance 2s is contained in 2s s spheres of radius s simultaneously. Each pair of codewords at a distance less then 2s is contained in at spheres of radius s simultaneously. We summarize the numbers of pairs of least 2s s codewords in all 2n spheres of radius s in a Boolean cube. Each sphere of radius s with pairs of codewords at a distance at most 2s, the number weight h + i contains the h+i 2 of spheres of radius s with weight h + i is ti . We have
324
M. Yarykina / On Impossibility of Uniform Distribution of Codewords over Spheres
l h+i 2s ′ h ′ h+l ti N≤ ≤ t0 + tl s 2 2 2 i=0
h(h − 1) 2hl + l2 − l + t′l 2 2
s n 2h + l − 1 n n h(h − 1) + m . =2 −2 h i 2 2 i=0
= (t′0 + t′l )
(4)
Since
h+j+1 h+i−1 h+j h+i , + ≤ + 2 2 2 2
l l the sums i=0 ti and i=0 ti (h + i) don’t change under that operations, so t′0 and t′l satisfy the set of equations: t′0 + t′l = 2n ,
t′0 h + t′l (h + l) = m
s n i=0
i
.
Comparing these two evaluations for N , lower (3) and upper (4), we have
2s m n 2s · −l−1 m s 2n i=0 i
s 2h + l − 1 n n n h(h − 1) + m . −2 h ≤2 2 i 2 2 i=0 We remember that the cardinality of the code C is m = Ps 2n /
s
i=0
2s n
2s 2s 2 · Ps · (l + 1) · Ps · si=0 ni − s s i=0 i s n ≤ · (h(h − 1) + (Ps − h)(2h + l − 1)). i i=0
n i
(5)
:
(6)
At the next step we evaluate the sums of binomial coefficients depending on degree n: s n
=
ns + (3s − s2 )ns−1 /2 + O(ns−2 ) , s!
i
2s n
1 2s 3s − 3s2 s−1 n · si=0 ni = + O(ns−2 ) . ns + s s! 2 i=0 i i=0
(7)
Then we re-arrange terms in the inequation (6), substituting corresponding polynomials depending on degrees of n instead of the sums of binomial coefficients. In addition, we divide both sides of the obtained inequality by ns−1 /s!:
M. Yarykina / On Impossibility of Uniform Distribution of Codewords over Spheres
1 (2s)! Ps 3s − 3s2 +O · s−1 · (l + 1) Ps2 − 2 n s! n
2 1 3s − s +O ≤ n+ (h(h − 1) + (Ps − h)(2h + l − 1)). 2 n
325
n+
(8)
We fulfill the rest of our proof separately for case s > 1 and for case s = 1. In case of s > 1 from the condition of the theorem it follows that the fraction Ps /ns−1 is not greater than Ps /ns−1 ≤ (Ps /n) · Ps = Ps2 · O(1/n). Therefore, the term ((2s)!/s!) · (Ps /ns−1 ) · (l + 1) is negligible. We rearrange terms in inequality (8). At the left side of the inequality we represent Ps2 as (Ps − h)(Ps − h − l) + (2Ps h + Ps l − h2 − hl) and reduce similar terms:
1 3s − 3s2 +O Z = n+ (Ps − h)(Ps − h − l) 2 n ) *+ , =Z1
+ n+ )
3s − s2 +O 2 *+ =Z2
1 Ps n ,
1 2 − s +O (2Ps h + Ps l − h2 − hl) ≤ 0. n ) *+ ,
(9)
=Z3
Then, we demonstrate that the left side of the inequality (9) is positive under the condition of the theorem, i.e., Z = Z1 + Z2 − Z3 > 0. Using Ps2 − 2Ps h + h2 + hl ≥ 0, we estimate Z3 and, consequently, Z:
1 3s − 3s2 +O Z = Z1 + Z2 − Z3 ≥ n + (Ps − h)(Ps − h − l) 2 n
1 1 3s − s2 +O (10) + Ps n + − s2 l − s2 + O Ps . 2 n n
Both addends are quadratic functions with respect to Ps . It follows from the properties of a quadratic function that (Ps − h)(Ps − h − l) ≥ −
l2 4
for any Ps .
(11)
We represent the second addend of (10) in the form Ps (X − tPs ), where X = n + (3s − s2 )/2 + O(1/n) − s2 l, t = s2 + O(1/n). For Ps in the interval z ≤ Ps ≤ X/t − z the inequality Ps (X − tPs ) ≥ z(X − tz) holds.
(12)
326
M. Yarykina / On Impossibility of Uniform Distribution of Codewords over Spheres
Setting z = ul2 /4, we have n ul2 ≤ Ps ≤ 2 + Cs , 4 s where constants Cs are assigned for each s. Now, we substitute the inequalities (11) and (12) to the expression (10): Z≥
(u − 1)l2 n + O(1). 4
For u > 1 the expression (u−1)l2 n/4+O(1) is positive beginning with some sufficiently large n. So, we have Z ≤ 0 (9) on the one hand and Z > 0 on the other hand. This is a contradiction. The theorem is proved for s > 1. Case s = 1. In this case the expression (6) has the form 2 n 1 n i · (l + 1) ≤ − 2 · P · (h(h − 1) + (P1 − h)(2h + l − 1)). 2 · P12 · i=0 n 1 1 i i=0 i=0 i
After the transformations which are similar to the general case,we have n(P1 − h)(P1 − h − l) + P1 (n − 3l − 1 − P1 ) +
2 P1 ≤ 0. n+1
(13)
Since 2P1 /(n + 1) > 0, this addend can be neglected. It follows from the properties of a quadratic (with respect to P1 ) function that l2 , 4
ul2 ul2 P1 (n − 3l − 1 − P1 ) ≥ n − 3l − 1 − , 4 4
(P1 − h)(P1 − h − l) ≥ −
if ul2 /4 ≤ P1 ≤ n − 3l − 1 − ul2 /4. In the condition of theorem, for n ≥ 6l + ul2 /4 + 3, ul2 /4 ≤ P1 ≤ (n + 1)/2 the expression (13) has the form −
ul2 l2 n+ 4 4
n − 3l − 1 −
ul2 4
≤ 0.
Obviously, the left side of the inequality (14) is positive for u > 1 and n> This is a contradiction.
u u−1
3l + 1 +
ul2 4
.
(14)
M. Yarykina / On Impossibility of Uniform Distribution of Codewords over Spheres
327
Lemma 7. Let x1 , . . ., xk are arbitrary positive integers such that x1 +· · ·+xk = S > 0 and max{xi } − min{xi } ≤ l. Then kl2 S2 S2 ≤ x21 + · · · + x2k ≤ + . k k 4 Theorem 6 (The codes of large cardinality, case 2). Let l ∈ N, s ∈ N. Let λ1 , λ2 be some positive numbers. Then beginning with some sufficiently large n there does not exist an l-USD code in V n of cardinality m such that λ1 s
2n
i=0
n ≤ m ≤ λ2 s
2n
i=0
i
n . i
Remark 4. We choose the numbers λ1 and λ2 such that the classes of cardinalities from Theorems 5 and 6 are mutually intersected. Proof of Theorem 6. Let C be an l-UDS code with cardinality m. We define N as the number of pairs (x, y), x, y ∈ C, x = y, such that d(x, y) ≤ 2s. We define Vk as the volume of a sphere of radius k. We evaluate N , the number of pairs (x, y) in all spheres of radius s, by two different ways. For more short notation, we will write t = x ± 2l instead of the two-sided inequality x − 2l ≤ t ≤ x + 2l. The first way. We denote the weights of spheres s as x1 , x2 , . . . , x2n . Since s of radius n every codeword is contained exactly in Vs = i=0 i spheres of radius s, we have 2n S := i=0 xi = mVs . The number of pairs of codewords in a sphere of radius s with the weight xi is equal to xi (xi − 1)/2. Correspondently, the number of pairs of codewords in all spheres of radius s is equal to n
N=
2 xi (xi − 1) i=0
2
2n
2n
1 2 1 = x − xi . 2 i=0 i 2 i=0
(15)
Since C is a l-UDS code, we have max{xi } − min{xi } ≤ l. Therefore, we can apply Lemma 7 to estimate the first addend: 2n
2n l 2 S2 S2 . ≤ x2i ≤ n + n 2 2 4 i=0 So, we obtain an evaluation for N ′ , substituting m, n, s for S 2 and using decomposition of sums of binomial coefficients by degree n (7): m2 1 · (n2s + (3s − s2 )n2s−1 + O(n2s−2 )) 2 · 2n (s!)2
3s − s2 s−1 2n l2 m 1 · n . + O(ns−2 ) ± − ns + 2 s! 2 8
N = N′ =
(16)
328
M. Yarykina / On Impossibility of Uniform Distribution of Codewords over Spheres
So, the number N of the pairs of codewords in all spheres of radius s, evaluated by the first way is obtained. The second way. The pairs of codewords in each sphere of radius s have mutual distances from 1 to 2s. Lets consider the spheres of radius 2s with centers in codewords. We partition these spheres to the strict spheres of radius from 1 to 2s. Then we evaluate the weight of each strict sphere and, separately, the number of pairs of codewords with a mutual distance 1, 2 and so on up to 2s. At first, we calculate the volume of a sphere of radius k: Vk =
k n i=0
i
=
1 k!
nk +
3k − k 2 k−1 n + O(nk−2 ) . 2
(17)
An average weight of the spheres of radius k is equal to Pk = mVk /2n . The weight of any sphere Sk (x) of radius k is wt(Sk (x)) = mVk /2n ± l, since C is an l-UDS code. We denote wt(ρk (x)) as the weight of a strict sphere of radius k with the center in x. We calculate it by formula wt(ρk (x)) = wt(Sk (x)) − wt(Sk−1 (x)), correspondingly, the weight of any strict sphere ρk of radius k satisfies inequality min{wt(Sk (x))} − max{wt(Sk−1 (x))} ≤ wt(ρk ) ≤ max{wt(Sk (x))} − min{wt(Sk−1 (x))}.
(18)
We denote by Nk the number of pairs of codewords of C at the distance k. We consider the strict sphere ρk (α) of radius k with a center in the codeword α in order to calculate Nk for each codeword α of code C. All codewords at the distance k from a codeword α are contained in this strict sphere ρk (α). The weight of this strict sphere is wt(ρk (α)). Similarly, we consider all codewords of the code C. So, each pair of codewords (α1 , α2 ) will be calculated twice: once as the pair with the codeword α1 and once as the pair with the codeword α2 . Since the number of codewords (the cardinality of the code C) is equal to m, the number of pairs of codewords of C at the distance k satisfies inequality: m m min{wt(ρk )} ≤ Nk ≤ max{wt(ρk )}. 2 2
(19)
The number of pairs of codewords of C in all spheres of radius s is equal to N=
2s
k=1
N k · pk ,
(20)
where pk is the number of spheres of radius s which have a pair of codewords at a distance k simultaniously. According Lemma 6, we have p2k ∼ p2k−1 . So, we can write the sum (20) as N = (N2s + N2s−1 ) · p2s + (N2s−2 + N2s−3 ) · p2s−2 + (N2s−4 + N2s−5 ) · p2s−4 + . . . . Therefore, it is sufficient to evaluate the sums of the form N2k + N2k−1 instead of Nk . According to expressions (18) and (19),
M. Yarykina / On Impossibility of Uniform Distribution of Codewords over Spheres
N2k + N2k−1 =
m m2 · 2l. (V2k − V2k−2 ) ± n 2·2 2
329
(21)
Now, we find the differences of volumes of the spheres, V2k − V2k−2 , for all k ≤ s, using (17):
2 1 3 · 2s − (2s) n2s−1 + O(n2s−2 ) , n2s + V2s − V2s−2 = (2s)! 2
1 V2s−2 − V2s−4 = n2s−2 (2s − 2)! 2 3 · (2s − 2) − (2s − 2) 2s−3 n + O(n2s−4 ) , + 2 V2s−2k − V2s−2(k+1) =
2s−2k 1 n + O(n2s−2k−1 ) (2s − 2k)!
for k ≥ 2.
Substituting obtained values in (21) and using pk from Lemma 6, we have N=
2s
k=1
=
N k · pk =
s−1
k=0
(N2s−2k + N2s−2k−1 ) · p2s−2k
m2 2s 6s − 4s2 2s−1 1 m2 2s 2s−2 n · + O(n ) ± · 2l · n + n n s 2·2 (2s)! 2 2·2
2 m2 1 6s − 6 − (2s − 2) 2s−3 2s−4 2s−2 + n n · + O(n ) + 2 · 2n (2s − 2)! 2
2s − 2 m2 · n + O(1) · 2l · ± s−1 2 · 2n s−1
2s−2k m2 1 m2 2s−2k−1 + n + O(n ) ± · · 2l · O(nk ). 2 · 2n (2s − 2k)! 2 · 2n k=2
Reducing similar terms, we obtain the evaluation for the number N of pairs of codewords in all spheres of radius s in sum by the second way: N ′′ =
m2 1 · (n2s + 3s − s2 n2s−1 + O(n2s−2 )) n 2 2·2 (s!) ±
m2 · 2l · O(ns−1 ). 2 · 2n
(22)
We analyse the case of m=α·
2n · (s − 1)! ns−1
For this value of cardinality of C the evaluations (22) and (16) have the forms:
(23)
330
M. Yarykina / On Impossibility of Uniform Distribution of Codewords over Spheres
α2 · 2n 2 (n + (3s − s2 )n + O(1)), 2s2 α2 · 2n 2 s n + (3s − s2 )n − n + O(1) . N = N′ ≤ 2 2s α
N = N ′′ =
Thus, upper and lower estimations for N differ in the addend (α2 · 2n /2s2 ) · O(1). Therefore, beginning with certain n, the estimation for N ′ is less than the estimation for N ′′ . This is a contradiction.
Acknowledgements The author expresses deep thanks to his scientific adviser Yu.V. Tarannikov for the continuous attention to this work and for the significant advices.
References [1] Yu.V. Tarannikov, On a class of Boolean functions distributed uniformly over spheres with degree 1, Vestnik of MSU, ser. 1 (math., mech.) 52(5) (1997), 18–22 (in Russian). [2] M.S. Yarykina, Application of bounds on sums of binomial coefficients to some problems of coding theory and cryptography, Mat. Voprosy Kibernetiki 12 (2003), Moscow, Fizmatlit, 87–108 (in Russian). [3] M. Fedorova and Yu. Tarannikov, On impossibility of uniform distribution of codewords over spheres in some cases, Proc. of 2002 IEEE International Symposium on Information Theory (ISIT’2002), Lausanne, Switzerland, June 30– July 5, 2002, 344. [4] M. Fedorova, New results on impossibility of uniform distribution of codewords over spheres, Proc. of 8th International Workshop on Algebraic and Combinatorial Coding Theory, Tsarskoe Selo, Russia, September 8–14, 2002, 104–107. [5] F.J. MacWilliams and N.J.A. Sloane, The theory of error-correcting codes, North-Holland Publishing Company, Amsterdam–New York–Oxford, 1977.
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-331
331
On the Structure of the Spectrum Support of Boolean Functions Alexander ZVEREV Lomonosov University, Moscow, Russia
Introduction The structure of stream chiphers is based on an addition of the plaintext, considered as a sequence of bits, with a pseudo-random sequence, generated by a secret key. There are some generators of linear recurrent sequences, used in the construction of a pseudorandom binary sequence with different periods. The outputs of such generators are conmined by a nonlinear Boolean function. In 1984 Siegenthaler [1] introduced the notion of a correlation-immune Boolean function and showed that the using of functions with high order of correlation-immunity for the generation of a pseudo-random sequence improves cryptographical qualities of the sequence. Thus, the reseach of high order correlation-immune Boolean functions is important for modern cryptography. In 2000 Tarannikov and Kirienko [2] suggested a new method to investigate high order correlation-immune Boolean functions, which is based on the spectrum support structure of these functions. The second chapter of this work deals with the reseach of the spectrum support of any Boolean function. In the third chapter we consider two matrices of a spectrum support. We prove that the first matrix doesn’t exist, for the second matrix we find the narrow class of the functions which can be reconstructed from the spectrum support and some restrictions for this matrix. In the fourth chapter of this work (n − 4)-resilent functions are studied and we prove the theorem without computer. This theorem states that the most n for (n − 4)-resilent function depended nonlinearly on all its n variables is equal to 10. This fact was proved earlier by Kirienko in his work, but the computer search was applied in his proof. In this article we use only facts which are proved in part 2 and earlier.
1. Definitions We give some necessary definitions.
332
A. Zverev / On the Structure of the Spectrum Support of Boolean Functions
Definition 1. The Walsh Transform of a Boolean function f is a function over Fn2 : χ f (u) =
(−1)f (x)+u,x .
x∈Fn 2
f (u) is called the Walsh Coefficient. Walsh Definition 2. For every u ∈ Fn2 the value χ coefficients are called Spectral Coefficients. The set of Spectral Coefficients is called the Spectrum of Boolean function f . Definition 3. The Spectrum Support of f is the subset Sf from Fn2 : Sf = {u ∈ Fn2 | χ f (u) = 0}.
Definition 4. We denote by M (f ) the (0, 1) matrix with n columns, obtained by writing in rows all vectors from Sf . This matrix is called the Matrix of the Spectrum Support. Definition 5. Walsh coefficients satisfy the next Inversion formula: (−1)f (x) = 2−n
u∈Fn 2
χ f (u)(−1)u,x .
f (u) = 0 for all u such that Lemma 1. The function f depends on xi linearly iff χ ui = 0.
Definition 6. A Boolean function f is said to be correlation immune of order m, with 1 ≤ m ≤ n if the output f and any m input variables are statistically independent. In equivalent non-probabilistic formulation the Boolean function f is called correlation immune of order m if wt(f ′ ) = wt(f )/2m for any its subfunction f ′ of m − n variables. Definition 7. A balanced mth order correlation immune function is called an m-resilient function. f (u) = Lemma 2. A function f on Fn2 is an mth order correlation immune function iff χ 0 for all u ∈ Fn2 with 1 ≤ |u| ≤ m. Lemma 3. If f is an mth order correlation immune function on Fn2 , m ≤ n − 1, then f (u) ≡ 0 χ f (u) ≡ 0 (mod 2m+1 )). Moreover, if f is m-resilient m ≤ n − 2, then χ (mod 2m+2 )). 2. Matrix of Spectrum Support of Boolean Function In this chapter the subject of reseach is matrices of the spectrum support of Boolean functions that depend nonlinearly on all its variables. Theorem 1. A matrix of spectrum support of Boolean function f = f (x1 , . . . , xn ) that depends nonlinearly on all its variables cannot have the following representation for any n1 , n2 , m1 , m2 ∈ N:
333
A. Zverev / On the Structure of the Spectrum Support of Boolean Functions
... 1 , 1 ...
where n = n1 + n2 , the first m1 rows have units in the last n2 coordinates and the last m2 rows have units in the first n1 coordinates. Note. We consider that each column has at least one zero, otherwise the function f depends linearly on at least one variable. Theorem 2. Suppose that the matrix of the spectrum support have the following representation:
... ∗ 1 . 1 ∗ ... The difference from the matrix, which is considered in Theorem 1, is the column denoted by stars which has at least one zero in the first m1 and in the last m2 rows. Let n1 be the number of columns before the column denoted by stars and, correspondently, n2 be the number of columns after the column denoted by stars, hence n = n1 + n2 + 1. Then the function f that can be reconstructed from the spectrum has the following form: f (x1 , . . . , xn ) = xn1 +1 ·
f1 (x1 , . . . , xn1 )
⊕ (xn1 +1 ⊕ 1) ·
n 1 % i=1
n %
i=n1 +2
xi
xi ⊕ f2 (xn1 +2 , . . . , xn )
and the matrix of the spectrum support consists of pairs of rows differed only in the column n1 + 1. Thus, if the matrix M has odd number of rows, then the function cannot be reconstructed from the spectrum. Now we mention another qualities of such matrices. This qualities was introduced by Tarannikov and Kirienko in their work [2]. Lemma 4. Let M = M (f ) be the matrix support of f . If M contains a column with exactly one symbol 0 then f has only one nonzero Walsh coefficient and f is an affine function. Let f be an mth order correlation immune nonlinear function over Fn2 . Decompose the matrix M = M (f ) into the matrices M1 , M2 , . . . where the matrix Mi contains all rows of M that correspond to vector u such that χ f (u) = 2m+i+1 (mod2m+i+2 ). Let ri be the number of rows in Mi . Parseval’s equation follows that r1 + 4 · r2 + 16 · r3 + . . . ≤ 4n−m−2 . Lemma 5. In the matrix M1 inside of any h columns, h ≤ n − m − 2, every possible h-tuple occurs in even number of rows. Lemma 6. In the matrix Mi inside of any h columns, 0 < h ≤ n − m − i − 1, that are all ones in matrices M1 , M2 , . . . , Mi all zeroes h-tuples occure in even number of rows.
334
A. Zverev / On the Structure of the Spectrum Support of Boolean Functions
Lemma 7. Let f be an (m = n − 4)th order correlation immune function on Fn2 and the matrix M1 does not contain all zeroes row. Then if some column of M1 contains at least one symbol 0 then this column contains at least 4 zeroes. 3. (n − 4)-Resilent Functions If a function f is (n−k)-resilient, then the function g(x1 , . . . , xn+1 ) = f (x1 , . . . , xn )+ xn+1 is ((n − k) + 1)-resilient. But the existence of linear variables does not improve cryptographical qualities of Boolean function. Tarannikov (1999) had proved that there exists for any k ∈ N the minimum positive integer p(k) such that any (n − k)-resilient function depends nonlinearly on at most p(k) variables. • p(3) = 4 (Camion, Carlet, Charpin, and Sendrier, 1991) [3]. Upper and lower bounds for p(k) have been proved by Tarannikov in [4]: 3 · 2k−2 − 2 ≤ p(k) ≤ (k − 1) · 2k−2 . Thus, if n > p(k) then we can get a new (n − k)-resilient function only applying linear variables to (n − k)-resilient functions for less n. • p(1) = 0, p(2) = 1; • p(3) = 4 (Camion, Carlet, Charpin, and Sendrier, 1991); [3] • p(4) = 10 (Kirienko, 2001) [2]. Denote by R(n, n − k) the number of (n − k)-resilient functions. 5 2 R(n, n − 3) = n4 − n3 + n + 2, 3 3 for n ≥ 4. The first version of this formula was obtained in [3] for cubic functions. R(n, n − 4) =
1 10 7 9 890 8 10903 7 64288 6 953353 5 n + n + n − n + n + n 2 6 9 9 45 45 1341749 4 899881 3 364768 2 1048601 n + n + n − n + 2, − 18 18 5 15
for n ≥ 10. (Kirienko, 2004) [5] Kirienko obtained his result by the using of a computer search. Many mathematicians consider the approach with a computer proof as non perfect. We prove that p(4) = 10 without a computer search and calculations. Theorem 3. For n ≥ 11 there does not exist (n−4)-resilient function on Fn2 that depends nonlinearly on all its n variables. Ideas of Proof. From inequalities for p(k) the bounds 10 ≤ p(4) ≤ 12 follow. By Parseval’s equation the condition on the number of rows in M — the Matrix of the Spectrum Support — is r1 + 4 · r2 ≤ 16. Using properties of M and some properties of resilient functions we obtain that if r2 ≥ 1 then n ≤ 9. So M = M1 and the number of rows in M is equal to 16 and we have only two cases for the size of M : 16 × 12 or 16 × 11. Consider the first case 16 × 12. The matrix satisfies to following conditions:
A. Zverev / On the Structure of the Spectrum Support of Boolean Functions
335
• 1) We can construct this matrix up to a permutation of rows and columns. The permutation of columns is the permutation of variables. The permutation of rows does not change the function anywhere. • 2) From the definition of the resilient function the number of zeroes in any row less than n − (n − 4) = 4. • 3) Any column in M has at least one zero, otherwise the function f depends linearly on at least one variable. • 4) By Lemma 7 any column contains at least 4 zeroes. • 5) From conditions on the number of zeroes in rows and columns, any row in M has 3 zeroes and any column has 4 zeroes. • 6) By Lemma 5 in M inside of any 2 columns every possible 2-tuple occurs in even number of rows. We construct the only possible matrix, using the fact that the matrix M has not repeated rows.
Step 1. Consider the first column. Using the first and the fifth conditions we can put 4 zeroes from the first column into the first four rows and 3 zeroes from the first row into the first three columns: ⎞ ⎛ 0 0 0 1 ··· ⎜0 ∗ ∗ ∗ · · ·⎟ ⎟ ⎜ ⎜0 ∗ ∗ ∗ · · ·⎟ ⎟ ⎜ ⎜0 ∗ ∗ ∗ · · ·⎟ ⎟ ⎜ ⎜1 ∗ ∗ ∗ · · ·⎟ ⎟ ⎜ ⎜1 ∗ ∗ ∗ · · ·⎟ ⎟. ⎜ ⎜1 ∗ ∗ ∗ · · ·⎟ ⎟ ⎜ ⎜1 ∗ ∗ ∗ · · ·⎟ ⎟ ⎜ ⎜1 ∗ ∗ ∗ · · ·⎟ ⎟ ⎜ ⎜ .. .. .. .. . . ⎟ ⎝. . . . .⎠ 1 ∗ ∗ ∗ ···
Step 2. Consider the second column. Using the first and the sixth condition we can put the second zero from this column into the second row. The third and the fourth rows have ones, otherwise if the third and the fourth rows have zeroes then the matrix M has repeated rows. Using the first and the fifth conditions we have that the fifth and the sixth rows have last 2 zeroes:
336
A. Zverev / On the Structure of the Spectrum Support of Boolean Functions
⎛
⎞ 0 0 0 1 ··· ⎜0 0 ∗ ∗ · · ·⎟ ⎜ ⎟ ⎜0 1 ∗ ∗ · · ·⎟ ⎜ ⎟ ⎜0 1 ∗ ∗ · · ·⎟ ⎜ ⎟ ⎜1 0 ∗ ∗ · · ·⎟ ⎜ ⎟ ⎜1 0 ∗ ∗ · · ·⎟ ⎜ ⎟. ⎜1 1 ∗ ∗ · · ·⎟ ⎜ ⎟ ⎜1 1 ∗ ∗ · · ·⎟ ⎜ ⎟ ⎜1 1 ∗ ∗ · · ·⎟ ⎜ ⎟ ⎜ .. .. .. .. . . ⎟ ⎝ . . . . .⎠ 1 1 ∗ ∗ ··· Step 3. Consider the third column. Using the first and the sixth conditions for the pair of columns (the first and the third columns) we can put the second zero into the third row and using the first and the sixth conditions for the pair of columns (the second and the third columns) we can put the third zero into the fifth row. The second, the fourth and the sixth rows have ones. Put the last zero into the seventh column: ⎛ ⎞ 0 0 0 1 ··· ⎜0 0 1 ∗ · · ·⎟ ⎜ ⎟ ⎜0 1 0 ∗ · · ·⎟ ⎜ ⎟ ⎜0 1 1 ∗ · · ·⎟ ⎟ ⎜ ⎜1 0 0 ∗ · · ·⎟ ⎟ ⎜ ⎜1 0 1 ∗ · · ·⎟ ⎟. ⎜ ⎜1 1 0 ∗ · · ·⎟ ⎟ ⎜ ⎜1 1 1 ∗ · · ·⎟ ⎟ ⎜ ⎜1 1 1 ∗ · · ·⎟ ⎟ ⎜ ⎜ .. .. .. .. . . ⎟ ⎝ . . . . .⎠ 1 1 1 ∗ ··· Step 4. Consider the fourth column. Using the first condition we can put the last zero from the second row into this column. Consider the sixth condition. The third row has one and the fourth row has zero, otherwise the pair of zeroes from the fourth row (the first and i-th columns) has not the same pair. The fifth row has one and the sixth row has zero otherwise the pair of zeroes from the sixth row (the second and i-th columns) has not the same pair. The seventh row has one. Put the last zero into the eighth column:
A. Zverev / On the Structure of the Spectrum Support of Boolean Functions
337
⎞ ⎛ 0 0 0 1 ∗ ··· ⎜0 0 1 0 ∗ · · ·⎟ ⎟ ⎜ ⎜0 1 0 1 ∗ · · ·⎟ ⎟ ⎜ ⎜0 1 1 0 ∗ · · ·⎟ ⎟ ⎜ ⎜1 0 0 1 ∗ · · ·⎟ ⎟ ⎜ ⎜1 0 1 0 ∗ · · ·⎟ ⎟. ⎜ ⎜1 1 0 1 ∗ · · ·⎟ ⎟ ⎜ ⎜1 1 1 0 ∗ · · ·⎟ ⎟ ⎜ ⎜1 1 1 1 ∗ · · ·⎟ ⎟ ⎜ ⎜ .. .. .. .. .. . . ⎟ ⎝. . . . . .⎠ 1 1 1 1 ∗ ··· Step 5. Consider the fifth column. The first and the second columns have ones. Using the first condition we can put the last zero from the third row into this column. Consider the sixth condition. Put the second zero into the fourth row. The fifth row has one and the seventh row has zero otherwise the pair of zeroes from the seventh row (the third and i-th columns) has not the same pair. The sixth row has one and the eighth row has zero: ⎛ ⎞ 0 0 0 1 1 ∗ ··· ⎜0 0 1 0 1 ∗ · · ·⎟ ⎜ ⎟ ⎜0 1 0 1 0 ∗ · · ·⎟ ⎜ ⎟ ⎜0 1 1 0 0 ∗ · · ·⎟ ⎜ ⎟ ⎜1 0 0 1 1 ∗ · · ·⎟ ⎟ ⎜ ⎜1 0 1 0 1 ∗ · · ·⎟ ⎟. ⎜ ⎜1 1 0 1 0 ∗ · · ·⎟ ⎟ ⎜ ⎜1 1 1 0 0 ∗ · · ·⎟ ⎟ ⎜ ⎜1 1 1 1 1 ∗ · · ·⎟ ⎟ ⎜ ⎜ .. .. .. .. .. .. . . ⎟ ⎝. . . . . . .⎠ 1 1 1 1 1 ∗ ··· Step 6. Consider the sixth column. The first four columns have ones. Using the first condition we can put the last zero from the fifth row into this column. Using the sixth condition we get that the fifth, the sixth, the seventh and the eighth rows have zeroes: ⎞ ⎛ 0 0 0 1 1 1 ··· ⎜0 0 1 0 1 1 · · ·⎟ ⎟ ⎜ ⎜0 1 0 1 0 1 · · ·⎟ ⎟ ⎜ ⎜0 1 1 0 0 1 · · ·⎟ ⎟ ⎜ ⎜1 0 0 1 1 0 · · ·⎟ ⎟ ⎜ ⎜1 0 1 0 1 0 · · ·⎟ ⎟. ⎜ ⎜1 1 0 1 0 0 · · ·⎟ ⎟ ⎜ ⎜1 1 1 0 0 0 · · ·⎟ ⎟ ⎜ ⎜1 1 1 1 1 1 · · ·⎟ ⎟ ⎜ ⎜ .. .. .. .. .. .. . . ⎟ ⎝. . . . . . .⎠ 1 1 1 1 1 1 ···
338
A. Zverev / On the Structure of the Spectrum Support of Boolean Functions
We construct the first six columns. Applying the analogous method for the last columns we obtain that in the first case 16 × 12 there exists only one matrix M . ⎞ ⎛ 000111111111 ⎜0 0 1 0 1 1 1 1 1 1 1 1⎟ ⎟ ⎜ ⎜0 1 0 1 0 1 1 1 1 1 1 1⎟ ⎟ ⎜ ⎜0 1 1 0 0 1 1 1 1 1 1 1⎟ ⎟ ⎜ ⎜1 0 0 1 1 0 1 1 1 1 1 1⎟ ⎟ ⎜ ⎜1 0 1 0 1 0 1 1 1 1 1 1⎟ ⎟ ⎜ ⎜1 1 0 1 0 0 1 1 1 1 1 1⎟ ⎟ ⎜ ⎜1 1 1 0 0 0 1 1 1 1 1 1⎟ ⎟ ⎜ ⎜1 1 1 1 1 1 0 0 0 1 1 1⎟ . ⎟ ⎜ ⎜1 1 1 1 1 1 0 0 1 0 1 1⎟ ⎟ ⎜ ⎜1 1 1 1 1 1 0 1 0 1 0 1⎟ ⎟ ⎜ ⎜1 1 1 1 1 1 0 1 1 0 0 1⎟ ⎟ ⎜ ⎜1 1 1 1 1 1 1 0 0 1 1 0⎟ ⎟ ⎜ ⎜1 1 1 1 1 1 1 0 1 0 1 0⎟ ⎟ ⎜ ⎝1 1 1 1 1 1 1 1 0 1 0 0⎠ 111111111000
This matrix satisfies to the condition of Theorem 1. Therefore for n = 12 there does not exist function that depends nonlinearity on all its n variables. Consider the second case 16×11. We apply the analogous method to construct these matrices. In the second case 16 × 11 there exists only one matrix M . ⎞ ⎛ 00011111111 ⎜0 0 1 0 1 1 1 1 1 1 1⎟ ⎟ ⎜ ⎜0 1 0 1 0 1 1 1 1 1 1⎟ ⎟ ⎜ ⎜0 1 1 0 0 1 1 1 1 1 1⎟ ⎟ ⎜ ⎜1 0 0 1 1 0 1 1 1 1 1⎟ ⎟ ⎜ ⎜1 0 1 0 1 0 1 1 1 1 1⎟ ⎟ ⎜ ⎜1 1 0 1 0 0 1 1 1 1 1⎟ ⎟ ⎜ ⎜1 1 1 0 0 0 1 1 1 1 1⎟ ⎟ ⎜ ⎜0 1 1 1 1 1 0 0 1 1 1⎟ . ⎟ ⎜ ⎜0 1 1 1 1 1 0 1 0 1 1⎟ ⎟ ⎜ ⎜0 1 1 1 1 1 1 0 1 0 1⎟ ⎟ ⎜ ⎜0 1 1 1 1 1 1 1 0 0 1⎟ ⎟ ⎜ ⎜1 1 1 1 1 1 0 0 1 1 0⎟ ⎟ ⎜ ⎜1 1 1 1 1 1 0 1 0 1 0⎟ ⎟ ⎜ ⎝1 1 1 1 1 1 1 0 1 0 0⎠ 11111111000
This matrix satisfies to the condition of Theorem 2 and all rows have the same number of zeroes. Therefore for n = 11 there does not exist a function that depends nonlinearly on all its n variables. Corollary. The maximum n for an (n − 4)-resilient function on Fn2 that depends nonlinearly on all its n variables, is equal to 10. In other words, p(4) = 10.
339
A. Zverev / On the Structure of the Spectrum Support of Boolean Functions
The function has the following form: f (x1 , . . . , x10 ) = (x1 ⊕ x10 ) ·
f1 (x2 , . . . , x5 )
⊕ (x1 ⊕ x10 ⊕ 1) ·
9 % i=6
5 % i=2
xi
xi ⊕ f2 (x6 , . . . , x9 ) .
The matrix has the following form: ⎞ 0001111111 ⎜0 0 1 0 1 1 1 1 1 1 ⎟ ⎟ ⎜ ⎜0 1 0 1 0 1 1 1 1 1 ⎟ ⎟ ⎜ ⎜0 1 1 0 0 1 1 1 1 1 ⎟ ⎟ ⎜ ⎜1 0 0 1 1 0 1 1 1 1 ⎟ ⎟ ⎜ ⎜1 0 1 0 1 0 1 1 1 1 ⎟ ⎟ ⎜ ⎜1 1 0 1 0 0 1 1 1 1 ⎟ ⎟ ⎜ ⎜1 1 1 0 0 0 1 1 1 1 ⎟ ⎟ ⎜ ⎜0 1 1 1 1 1 0 0 1 1 ⎟ . ⎟ ⎜ ⎜0 1 1 1 1 1 0 1 0 1 ⎟ ⎟ ⎜ ⎜0 1 1 1 1 1 1 0 1 0 ⎟ ⎟ ⎜ ⎜0 1 1 1 1 1 1 1 0 0 ⎟ ⎟ ⎜ ⎜1 1 1 1 1 0 0 0 1 1 ⎟ ⎟ ⎜ ⎜1 1 1 1 1 0 0 1 0 1 ⎟ ⎟ ⎜ ⎝1 1 1 1 1 0 1 0 1 0 ⎠ 1111101100 ⎛
4. Conclusion We prove Theorem 3 without a computer search. We use only Theorem 1, Theorem 2 and another properties of the matrix of the spectrum support. We note that for k = 3 and k = 4 the value p(k) achieves the lower bound. Analyzing this problem Tarannikov suggested the hypothesis that the value p(k) is equal to the lower bound. Open problem in this direction are: • to find precise upper bound for p(k) when k = 5; • to improve upper bound for p(k) for all values of k.
References [1] T. Siegenthaler, Correlation-immunity of nonlinear combining functions for cryptographic applications, IEEE Transactions on Information theory IT-30(5) (1984), 776–780. [2] Yu.V. Tarannikov and D.P. Kirienko, Spectral Analysis of High Order Correlation Immune Function, Proc. of international school-seminar “Synthesis and complexity of controlling systems”, Moscow, 2001. [3] P. Camion, C. Carlet, P. Charpin, and N. Sendrier, On correlation-immune function, Proc. of Crypto’91, Lecture Notes in Computer Science 576 (1991), 86–100.
340
A. Zverev / On the Structure of the Spectrum Support of Boolean Functions
[4] Yu. Tarannikov, On resilient Boolean functions with maximal possible nonlinearity, Proc. of Indocrypt’2000, Lecture Notes in Computer Science 1977 (2000), 19–30. [5] D.P. Kirienko, On the number of (n − 4)th order correlation-immune and resilient Boolean functions functions, Proc. of VIII international seminar “Discrete Mathematics and applications”, Moscow, February 2–6, 2004, 421–424 (in Russian).
Some Open Problems
This page intentionally left blank
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. doi:10.3233/978-1-58603-878-6-343
343
Open Problems in Boolean Function Theory. The Cryptographer's View Abstract. The paper contains a list of those open problems in Boolean function theory that are of primary importance for cryptology. Keywords. Boolean function, problem
Introduction This paper initiates a new line of activity aimed at maintaining a list of those open problems in Boolean function theory that are of primary importance for cryptology. A preliminary variant of this paper was distributed to participants of the ASI for discussion.
1. Notation and Definitions In this section we present for reference purposes some commonly used notions on Boolean functions. Specialists can skip this section. Let N be the set of all positive integers, N0 = N ∪ {0}, and Z be the ring of integers. For an arbitrary n ∈ N, denote by F2n the field with 2n elements and by Vn = Fn2 the vector space of all strings of length n with elements in the field F2 . The field operations in F2 are denoted by ⊕ (addition modulo 2) and · (multiplication modulo 2). The same symbol ⊕ denotes also the componentwise addition (modulo 2) of vectors in Fn2 . A Boolean function is a map from Vn (for some n ∈ N) to F2 . By Fn we denote the set of all Boolean functions on Vn . If x = (x1 , . . . , xn ) (where xi ∈ F2 ) is an argument of a Boolean function f , then x1 , . . . , xn are called variables of the function f . A Boolean mapping is a map from Vn to Vm for some n, m ∈ N. The set of all Boolean mappings from Vn to Vm is denoted by Fn,m . Any Boolean mapping Φ ∈ Fn,m can be specified by m Boolean functions f1 , . . . , fm ∈ Fn such that Φ(x) = (f1 (x), . . . , fm (x)) for all x ∈ Vn . These Boolean functions f1 , . . . , fm are called the coordinate functions of Φ. In particular, Fn,1 can be identified with Fn in an evident way. The number of 1-entries in a vector x ∈ Vn is called the weight of x and is denoted by wt(x). Let n = {1, 2, . . . , n}. For an arbitrary x ∈ Vn , the set supp(x) = {i ∈ n | xi = 1} is called the support of x. It is clear that wt(x) = # supp(x) (#M denotes the number of elements in a set M ). Define the natural ordering 0 < 1 on F2 . We say that x ∈ Vn precedes y ∈ Vn and write x y if xi ≤ yi for any i ∈ n. If x = y and x y, then we say that x strictly precedes y. By 0 and 1 we denote the all-zeroes and all-ones vectors respectively.
344
Open Problems in Boolean Function Theory. The Cryptographer’s View
The Hamming distance dist(x, y) between two vectors x, y ∈ Vn is the number of components in which they differ. Stated otherwise, dist(x, y) = wt(x ⊕ y). Two vectors x and y are called adjacent if dist(x, y) = 1. The weight of a function f ∈ Fn is the number of vectors x ∈ Vn such that f (x) = 1. For an arbitrary function f ∈ Fn , the set supp(f ) = {x ∈ Vn | f (x) = 1} is called the support of f . It is clear that wt(f ) = # supp(f ). The distance between two Boolean functions f, g ∈ Fn is defined by dist(f, g) = wt(f ⊕ g) = # supp(f ⊕ g). A Boolean mapping Φ ∈ Fn,m (where n ≥ m) is called balanced if #Φ−1 (y) = for any y ∈ Vm . Obviously, a Boolean function f ∈ Fn is balanced iff wt(f ) = 2 2n−1 . A variable xi is essential for a Boolean mapping Φ ∈ Fn,m if n−m
Φ(x1 , . . . , xi−1 , 0, xi+1 , . . . , xn ) = Φ(x1 , . . . , xi−1 , 1, xi+1 , . . . , xn ) for all x1 , . . . , xi−1 , xi+1 , . . . , xn ∈ F2 . If xi is not essential, then it is said to be dummy. Let F n,m be the set of all functions in Fn,m without dummy variables. A subfunction of a Boolean mapping Φ ∈ Fn,m is a Boolean mapping obtained by substituting constants 0 or 1 for some of its variables. If one substitutes constants ai1 , . . . , ais for variables xi1 , . . . , xis respectively, then the resulting function is denoted a 1 ,...,ais . by Φi1i,...,i s The string (Φ(0, 0, . . . , 0), Φ(1, 0, . . . , 0), Φ(0, 1, . . . , 0), Φ(1, 1, . . . , 0), . . . Φ(1, 1, . . . , 1)) is called the table of values of a Boolean mapping Φ ∈ Fn,m . If M ⊆ Vn , then the table of values of its indicator χM is called the incidence vector of the set M . Here χM (x) = 1 if x ∈ M and χM (x) = 0 otherwise. Any function f ∈ Fn has a unique representation by a polynomial Pf ∈ F2 [x1 , . . . , xn ] of the form %
I⊆n
cI
0
xi ,
i∈I
where cI ∈ F2 . The polynomial Pf is called the algebraic normal form of the function f . Then deg f = deg Pf = max{#I | I ⊆ n, cI = 0} is the algebraic degree of f and deg(f, xi ) = deg(Pf , xi ) = max{#I | i ∈ I ⊆ n, cI = 0} is the algebraic degree of f w.r.t. the variable xi . By agreement, max ∅ = 0. If xi is a dummy variable of the function f , then deg(f, xi ) = 0. A function f is called linear in a variable xi if deg(f, xi ) = 1 and nonlinear in this variable if deg(f, xi ) ≥ 2. A function f ∈ Fn is affine if deg f ≤ 1. A Boolean mapping is said to be affine if all its coordinate
Open Problems in Boolean Function Theory. The Cryptographer’s View
345
functions are affine. We also put RM(d, n) = {f ∈ Fn | deg f ≤ d}; this set is called the Reed–Muller code of order d and length 2n . The algebraic immunity AI(f ) of a Boolean function f ∈ Fn is the minimal algebraic degree of a nonzero Boolean function g such that f · g = 0 or (f + 1) · g = 0. The derivative of a Boolean mapping Φ ∈ Fn,m w.r.t. a vector u ∈ Vn is the Boolean mapping Du Φ ∈ Fn,m such that Du Φ(x) = Φ(x ⊕ u) ⊕ Φ(x) for all x ∈ Vn . If L is a subspace of Vn , then the Boolean mapping DL Φ ∈ Fn,m given by DL Φ(x) =
%
u∈L
Φ(x ⊕ u)
is called the derivative of Φ w.r.t. the subspace L. The Fourier transform of a Boolean function f ∈ Fn is the integer-valued function Ff : Vn → [−2n , 2n ] given by Ff (u) =
f (x)(−1)u,x ,
x∈Vn
where u, x! = u1 x1 ⊕ · · · ⊕ un xn (u, v ∈ Vn ). For any u ∈ Vn , the integer Ff (u) is called the Fourier coefficient of f . The set {Ff (u) | u ∈ Vn } is said to be the Fourier spectrum of f . The Walsh transform of a Boolean function f ∈ Fn is the integer-valued function Wf : Vn → [−2n , 2n ] given by Wf (u) =
(−1)f (x)⊕u,x .
x∈Vn
For any u ∈ Vn , the integer Wf (u) is called the Walsh coefficient of f . The set {Wf (u) | u ∈ Vn } is said to be the Walsh spectrum of f . The set {u ∈ Vn | Wf (u) = 0} is called the Walsh spectrum support of f . The cross-correlation between two Boolean functions f, g ∈ Fn is the integervalued function Δf,g : Vn → [−2n , 2n ] defined by Δf,g (u) =
(−1)f (x)⊕g(x⊕u) .
x∈Vn
The auto-correlation of a Boolean function f ∈ Fn is the integer-valued function Δf : Vn → [−2n , 2n ] defined by Δf (u) = Δf,f (u) =
(−1)f (x)⊕f (x⊕u) .
x∈Vn
Let f ∈ Fn and let M be a nonempty subset of Fn . The nonnegative integer dist(f, M) = ming∈M dist(f, g) is called the distance between the function f and the set M. The distance between the function f and the set of all affine functions in Fn is called the nonlinearity of f and is denoted by Nf . It is known that Nf = 2n−1 −
1 max |Wf (u)|. 2 u∈Vn
346
Open Problems in Boolean Function Theory. The Cryptographer’s View
The index of linearity il(Φ) of a Boolean mapping Φ ∈ Fn,m is the minimal nonnegative integer k such that there exist a linear function h ∈ Fn,k and a collection of affine functions Au ∈ Fn,m (u ∈ Vk ) satisfying Φ(x) = Ah(x) (x) for all x ∈ Vn . Two functions f, g ∈ Fn are affine equivalent if there is a one-to-one affine mapping A ∈ Fn,n such that f (x) = g(A(x)) for all x ∈ Vn . Let M be a subset of Fn . A map π on M is called affine invariant for M if π(f ) = π(g) whenever f and g are affine equivalent (f, g ∈ M). A system of affine invariants π1 , . . . , πm for M is complete if f and g are affine equivalent whenever πi (f ) = πi (g) for all i ∈ m (f, g ∈ M). Let f ∈ Fn . The function f is called correlation immune of order k ∈ n if a ,...,a wt(f ) ik i1 = wt fi1 ,...,i k 2k
for any i1 , . . . , ik satisfying 1 ≤ i1 < · · · < ik ≤ n and any ai1 , . . . , aik ∈ F2 . The function f is correlation immune of order k iff Wf (u) = 0 for all u ∈ Vn satisfying 1 ≤ wt(u) ≤ k. By definition, cor f is the maximal positive integer k such that f is correlation immune of order k, or 0 if there is no such positive integer k. We put CI(n) = {f ∈ Fn | cor f ≥ 1}. Let Φ ∈ Fn,m . The mapping Φ ∈ Fn,m is (n, m, k)-resilient (where 1 ≤ k ≤ ai1 ,...,aik n − m) if Φi1 ,...,i is balanced for any i1 , . . . , ik satisfying 1 ≤ i1 < · · · < ik ≤ k n and any ai1 , . . . , aik ∈ F2 . By definition, sut Φ is the maximal positive integer k such that Φ is (n, m, k)-resilient, or 0 if there is no such positive integer k. A balanced Boolean function f ∈ Fn is called k-resilient if it is correlation immune of order k, or, equivalently, (n, 1, k)-resilient in the above sense. A Boolean function f ∈ Fn is called plateaued of order 2r (where r ∈ {0, . . . , n}) if Wf (u) ∈ {0, ±2n−r } for any u ∈ Vn . Let S be a subset of Vn and let g be a function from S to F2 . For an arbitrary u ∈ Vn , put WgS (u) =
(−1)g(x)⊕u,x .
x∈S
8 √ 9 The function g is called partial bent function if WgS (u) ∈ ± #S for any u ∈ Vn , or, equivalently,
(−1)g(x)⊕g(x⊕u) = 0
x∈S∩(S⊕u)
the set of all partial bent functions on the set S. for all u ∈ Vn \{0}. By Bn (S) we denote√ If g ∈ Bn (S), then WgS (u) = (−1)g(u) #S for a unique Boolean function g ∈ Fn . This function g is called dual for g. The map g → g is a one-to-one correspondence between Bn (S) and the set of all plateaued functions f ∈ Fn with Walsh spectrum support S. If S = Vn , then 8a partial9 bent function is called bent. Namely, a function f ∈ Fn is bent iff Wf (u) ∈ ±2n/2 for any u ∈ Vn . Equivalently, a function f ∈ Fn is bent iff it has the maximum possible nonlinearity 2n−1 − 2n/2−1 . The set of all bent functions in Fn is denoted by Bn . This set is nonempty iff n is even. A Boolean function f ∈ Fn is said to have defect zero if the system of equations
Open Problems in Boolean Function Theory. The Cryptographer’s View
f (xi , . . . , xi+n−1 ) = yi ,
347
i ∈ m,
has a solution (x1 , . . . , xm+n−1 ) ∈ Vm+n−1 for every y1 , . . . , ym ∈ F2 and every m ∈ N. This condition is equivalent to the perfect balancedness, i.e., existence of exactly 2n−1 solutions of this system for each y1 , . . . , ym ∈ F2 and m ∈ N. For an arbitrary ∞ ∞ f ∈ Fn , define the function f ∗ : F∞ 2 → F2 (where F2 is the set of all infinite sequences x1 , x2 , . . . over F2 ) by f (x1 , x2 , . . . ) = (f (x1 , . . . , xn ), f (x2 , . . . , xn+1 ), . . . , f (xi , . . . , xi+n−1 ), . . . ). A Boolean function f ∈ Fn is called locally invertible if there exist m ∈ N and (y1 , . . . , ym ) ∈ Vm such that
∗ −1 • My = {(z1 , z2 , . . . ) ∈ F∞ (y1 , . . . , ym , z1 , z2 , . . . ) = ∅} = ∅ and 2 | (f ) • for any (z1 , z2 , . . . ) ∈ My and (u1 , u2 , . . . ), (w1 , w2 , . . . ) ∈ (f ∗ )−1 (y1 , . . . , ym , z1 , z2 , . . . ) we have ui = wi whenever i ≥ m + 1.
A Hadamard matrix is a n × n-matrix H with ±1 entries such that HH ∗ = nE (over Z), where H ∗ is the transpose of H and E is the identity matrix.
2. Research Problems 2.1. Computational Complexity Problems In this subsection, we have adopted the following structure of problem statement. The paragraph D EFINITION ( S ), if present, contains definitions that are needed for problem at hand but could not be found in the preceding section. In the paragraph I NSTANCE we formally specify an instance of the problem. The paragraph Q UESTION specifies what does it mean to solve an instance of the problem. The research problems concerning a computation complexity problem from this subsection are: • find a “large” standard complexity class C such that the problem is C-complete or C-hard; • find a “small” standard complexity class D such that the problem is in D; • construct an efficient (e.g., polynomial-time) algorithm for solving this problem; • obtain a nontrivial lower or upper bound on complexity of this problem. In the computational complexity problems, we assume (unless otherwise specified) that integers in instances are given in binary, Boolean mappings (in particular, Boolean functions) are represented by their tables of values, and subsets of Vn are given by their incidence vectors. However, many of these problems remain interesting in other settings, e.g., Boolean mappings can be specified by Boolean circuits or oracles. C1. I NSTANCE: Set M ⊆ Vn . Q UESTION: Is there a function f ∈ Fn such that Wf (u) = 0 iff u ∈ M ? C2. I NSTANCE: Set M ⊆ Vn . Q UESTION: Is there a function f ∈ Fn such that Δf (u) = 0 iff u ∈ M ? C3. I NSTANCE: Integer s ∈ 2n .
348
Open Problems in Boolean Function Theory. The Cryptographer’s View
Q UESTION: Is there a function f ∈ Fn such that #{u ∈ Vn | Wf (u) = 0} = s?
C4. I NSTANCE: Integer-valued function Δ : Vn → [−2n , 2n ] such that Δ(0) = 2n . Q UESTION: Is there a function f ∈ Fn such that Δf = Δ?
C5. I NSTANCE: Boolean mapping Φ ∈ Fn,m (possibly from some cryptographically significant class of Boolean mappings). Q UESTION: Find il(Φ). C6. I NSTANCE: Set M ⊆ Vn . Q UESTION: Is Bn (M ) nonempty?
C7. D EFINITION . For a function f ∈ Fn , put div2 (f ) = max{i ∈ n | 2i divides Wf (u) for all u ∈ Vn }. This parameter is an affine invariant for Fn . I NSTANCE: Boolean function f ∈ Fn . Q UESTION: Find div2 (f ).
C8. D EFINITIONS . Any function f ∈ Fn of algebraic degree at most n − 1 can be represented in the form f (x) = (xj ⊕ 1)f1 (x) ⊕ xj f2 (x), where j ∈ n, xj is dummy for f1 and f2 (hence we may assume that f1 , f2 ∈ Fn−1 ), deg f1 = deg f2 = deg f , deg f1 ⊕ f2 < deg f . Suppose that f is balanced. Then sut f = d iff (i) sut f1 = sut f2 = d − 1 and (ii) Wf1 (u) + Wf2 (u) = 0 for all u ∈ Vn−1 of weight d.
I NSTANCE: Two Boolean functions f1 , f2 ∈ Fn−1 and integer d ∈ {0, . . . , 2n−1 }. Q UESTION: Does (ii) hold? C9. I NSTANCE: Boolean function f ∈ Fn . Q UESTION: Is f locally invertible? C10. D EFINITIONS . To each Boolean function f ∈ Fn , we assign the Boolean mapping ρf ∈ Fn+1,n given by ρf (x1 , . . . , xn , y) = (x2 , . . . , xn , f (x1 , . . . , xn ) ⊕ y) (xi , y ∈ F2 ). Furthermore, let ρf (x, y1 , . . . , yk ) = ρf (. . . , ρf (ρf (x, y1 ), y2 ), . . . , yk ) for any x ∈ Vn and yj ∈ F2 . The mapping ρf is called resettable if there exist k ∈ N, y ∈ Vk and z ∈ Vn such that ρf (x, y) = z for all x ∈ Vn . I NSTANCE: Boolean function f ∈ Fn . Q UESTION: Is ρf resettable? C11. I NSTANCE: Boolean function f ∈ Fn and integer r ∈ {0, . . . , n}. Q UESTION: Are there two subspaces U, W ⊆ Vn such that dim U = r, Vn is a direct sum of U and W , and for any u ∈ U there exists w ∈ W satisfying f (u ⊕ w) = 0? C12. I NSTANCE: Set M ⊆ Vn and integer k ∈ {0, . . . , n}.
Open Problems in Boolean Function Theory. The Cryptographer’s View
349
Q UESTION: Are there a subspace U ⊆ Vn of dimension at least k and a vector v ∈ Vn such that v ⊕ U ⊆ M ?
C13. D EFINITIONS . Let d, e be small (as compared to n) numbers such that d > e > 0. I NSTANCE: Function f : F2n → F2 given by a trace representation, F2 -linear mapping φ : F2n → F2n given by a polynomial n−1 k=0
k
φk x2 ,
(φk ∈ F2n ),
positive integer N given in unary, and primitive element a ∈ F2n . Q UESTION: Find nonzero Boolean functions g ∈ Fn+N +1 and h ∈ Fn such that h(x) = g(x, f (φ(a0 λ(x))), . . . , f (φ(aN λ(x)))) for all x ∈ Vn , where λ : Vn → F2n is an arbitrary isomorphism of vector spaces over the F2 , deg h ≤ d, and the degree of the function g w.r.t. the first n variables is at most e. 2.2. Other Problems 1. Find a complete system of affine invariants of the set RM(3, n). 2. Find a complete system of affine invariants of the set Fn .
3. Enumerate all affine equivalence classes of the set RM(3, n). 4. Enumerate all affine equivalence classes of the set Fn .
5. Find the weight spectrum of the code RM(r, n) (i.e., #{f ∈ RM(r, n) | wt(f ) = s} for each s ∈ {0, . . . , 2n }), where r ≥ 3.
6. Enumerate all Hadamard matrices of order n and/or find the number of these matrices (for all n ∈ N).
7. Let J(CI(n)) be the set of all permutations π : Vn → Vn such that f (π(·)) ∈ CI(n) whenever f ∈ CI(n). Also, let Dn be the group of all permutations of Vn having the form (x1 , . . . , xn ) → xσ(1) ⊕ a1 , . . . , xσ(n) ⊕ an ,
where σ is a permutation of n and a1 , . . . , an ∈ F2 . Is it true that J(CI(n)) = Dn ? If not, find J(CI(n)). 8. Find #Bn for all even n ∈ N. Less ambitious problem: find the asymptotic behavior of #Bn as n → ∞ (n is even).
9. Find # CI(n) for all n ∈ N. The asymptotic behavior of # CI(n) as n → ∞ was found by Denisov.
10. Let In be the number of Boolean functions in Fn having defect zero (or, equivalently, perfectly balanced Boolean functions in Fn ). Find In for all n ∈ N. Less ambitious problem: find the asymptotic behavior of In as n → ∞. 11. Suppose that f ∈ Bn is represented in the form f (x) = Ah(x) (x) (x ∈ Vn ), where h ∈ Fn,s is linear and Au ∈ Fn is affine for each u ∈ Vs . In particular, il(f ) ≤ s. Find
350
Open Problems in Boolean Function Theory. The Cryptographer’s View
or estimate il(f), where f is the dual function for f . Find a representation of f in the above form.
12. For any integers n, r, l satisfying 0 ≤ 2r < n and 0 ≤ l ≤ n − 2r, construct a plateaued function f ∈ Fn of order 2r such that dim{u ∈ Vn | Du f = const} = l.
13. For a given r, what is the maximum affine rank κ(r) of the spectrum support of a plateaued Boolean function of order 2r? The affine rank of a set S ⊆ Vn is the minimal dimension of a subspace U ⊆ Vn such that S ⊆ v ⊕ U for some v ∈ Vn . It is known that 2r+1 − 2 ≤ κ(r) ≤ 22r−1 − 2r−1 + r and κ(2) = 6 (Tarannikov). We conjecture that κ(r) = 2r+1 − 2.
14. Do k-resilient Boolean functions f ∈ Fn with nonlinearity 2n−1 − 2k+1 exist for all n, k satisfying (n − 3)/2 ≤ k ≤ n − 2? The least n and k for which the problem remains unresolved are 11 and 4 respectively. 15. Does there exist an unbalanced Boolean function in Fn that is correlation immune of order k and has nonlinearity 2n−1 − 2k where k = 2i , n = 2i+1 + 1, or k = 2i + 1, n = 2i+1 + 2, i = 2, 3, . . . ? 16. What is the maximum number n = p(k) of variables in (n − k)-resilient Boolean function f ∈ Fn that is nonlinear in all n its variables? It is known that 3 · 2k−2 − 2 ≤ p(k) ≤ (k − 1)2k−2 (Tarannikov) and p(4) = 10 (Kirienko). We conjecture that p(k) = 3 · 2k−2 − 2.
17. Does there exist a bent function f ∈ Bn with maximum algebraic immunity n/2 (n is even)? 18. Do Hadamard matrices of order n exist for any n that is a multiple of 4? The least n for which the problem remains unresolved is 668.
19. For a function f ∈ Fn , let Ad (f ) = {g ∈ Fn | f g = 0, deg g ≤ d}. Algorithm 1 (see [1]) receives the table of values of f as an input. This algorithm outputs one of the following answers: “Ad (f ) = 0” or “failed to prove that Ad (f ) = 0”. For a random balanced Boolean function f find the asymptotic behavior (as n → ∞) of conditional probability Pr{Ad (f ) = 0 | Algorithm 1 outputs 2nd answer for the input function f }. as n → ∞.
20. Let Fn+ = {f ∈ Fn | Wf (u) = 0 for all u ∈ Vn }. For a Boolean function f ∈ Fn+ , define the Boolean function sgn f as follows: 0 if Wf (x) > 0, (sgn f )(x) = 1 if Wf (x) < 0
(x ∈ Vn ).
For g ∈ Fn , let Sg = {f ∈ Fn+ | sgn f = g}. It is known that the set Sg is empty if Du g = const for some u ∈ Vn \ {0}. Furthermore, Sg = ∅ for any bent function g ∈ Bn . 1. Find a convenient criterion for emptiness of Sg .
Open Problems in Boolean Function Theory. The Cryptographer’s View
351
2. Find new classes of Boolean functions g such that Sg = ∅. 3. Find necessary and/or sufficient conditions for nonemptiness of Sg in terms of Walsh spectrum of g.
References [1] F. Didier, J.-P. Tillich, Computing the Algebraic Immunity Efficiently, Proc. of FSE 2006, Lecture Notes in Comput. Sci. 4047 (2006), Springer-Verlag, 359–374.
This page intentionally left blank
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved.
353
Subject Index affine equivalence class 58 affine normal form (af.n.f.) 148 algebraic algorithm 23 algebraic attack 183, 296 algebraic degree 296 algebraic normal form 214 algebraic immunity 283, 296 almost perfect nonlinearity 208 annihilator 296 avalanche 243 balance 243 balanced function 33, 97 bent function 3, 148, 232, 243 bent rectangle 3 Boolean circuit 104 Boolean function 23, 58, 73, 97, 148, 173, 183, 214, 243, 283, 289, 296, 343 Boolean mapping 148 complexity 23, 104 correlation immunity 243, 283 232 cyclic code over F2 cyclic code over ℤ 4 232 depth 104 design criterion 183 discrete function 23 equivalence of functions 126 ergodic function 33 fast algorithm 289 fast correlation attack 183 flat 148 flat of local affinity (FLA) 148 flat of weak local affinity (FWLA) 148 Galois field 104 general affine group 58 Global Avalanche Characteristic (GAC) 243
higher order nonlinearity 296 index of linearity 148 inversion 104 Latin square 33 level of affinity 148 local affinity 148 monotone set 73 multiplication 104 nonlinear filter 296 nonlinear order 243 nonlinearity 173, 208, 214, 243, 283, 289, 296 open problem 343 p-adic analysis 33 parquet 148 partitioning Vn into disjoint affine planes 3 perfect nonlinearity 126 planar function 126 plateaued function 148, 243 propagation characteristic 73 pseudorandom generator 33 Reed–Muller code 58, 97 regular bent function 3 resiliency 73, 289 rotational symmetry 214 secret-key cryptography 289 semifield 126 spectrum of FLAs 148 spectrum of FWLAs 148 stream cipher 33, 183, 296 sum-of-square indicator 208 surface 208 T-function 33 vectorial Boolean function 208 Walsh spectrum 173 Walsh–Hadamard transform 3
This page intentionally left blank
Boolean Functions in Cryptology and Information Security B. Preneel and O.A. Logachev (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved.
355
Author Index Agievich, S. Alekseev, V. Anashin, V. Borissov, Y. Botev, A. Braeken, A. Cusick, T.W. Denisenko, M.P. Gashkov, S.B. Helleseth, T. Khalyavin, A. Kyureghyan, G. Langevin, P. Leander, G. Lobanov, M. Logachev, O.A. Maitra, S. Mihaljević, M.J.
3 23 33 58 283 58, 73 97 148 104 126 289 126 139 139 296 v, 148 173 183
Ness, G.J. Nikov, V. Nikova, S. Nosov, V.A. Pott, A. Preneel, B. Rodier, F. Sergeev, I.S. Shipunov, S.G. Stănică, P. Tarannikov, Y. Wolfmann, J. Yarykina, M. Yashchenko, V.V. Zhang, X.-M. Zheng, Y. Zverev, A.
126 73 58, 73 200 126 v, 58, 73 208 104 307 214 219 232 315 148 243 243 331
This page intentionally left blank